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Our message 


Customer satisfaction is our top priority. This means that protecting your data is particu- 
larly important. We would like to thank you for the trust you place in us by submitting your 
data to us for processing. As a sign that we respect your rights as well as your privacy, 
we have formulated our policy, which applies when processing your data: 


We attach great importance to transparency when it comes to processing your 
data. This is why we have paid special attention to our data protection declaration in 
order to provide you with the necessary information on how we handle your data. 


It is important to us that you know for what purposes we use your data and when we 
store it. In our data protection declaration, we inform you how and to what extent we 
process your data. 


We process your data only to the extent necessary and use it exclusively for lawful 
and justified purposes. 


In certain cases, we ask you whether you consent to the use of your data. In these 
cases, you yourself decide how and when we use your data. For example, we will 
never send you electronic advertising if you do not desire it. 


In certain cases, we will also ask you on our website and in our app whether you 
would like to voluntarily store certain information. This may be beneficial to speed up 
your next ticket purchase. 


Similarly, we will only send you targeted special offers at your request. The decision 
is yours. 

Our goal is to continually improve ourselves. Please get in touch with us if you 
have concerns. 


We live our principles to the full, particularly in the area of data protection. In the fol- 
lowing sections of this data protection declaration, find out how we process your data 
in the course of our various data applications. 
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When does this data privacy statement apply? 


Our data privacy statement applies to anyone who makes use of one of our products or 
services, visits our websites or uses our apps. This includes: buying a ticket, including an- 
cillary services, such as making a reservation, purchase of a customer card or use of our 
services. 

We are constantly continuing the development of our offers and services. This is also why 
we will constantly adapt our data protection declaration. We will, however, make sure that 
the latest version will always be available to you. 
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Who is responsible for the data processing? 


OBB-Personenverkehr AG (OBB-PV AG), FN [company registration number] 248742y, 
Am Hauptbahnhof 2, 1100 Vienna, tel. +43 1 93000 0, is the controller under data protec- 
tion law, as defined in Article 4(7) GDPR. 


GDPR defines a controller as a natural person or legal entity, authority, institution or other 
body, which, on its own or in conjunction with others, decides on the purposes and 
means of processing personal data. 


version: 2022.04 
Valid from: 27/04/2022 Page: 6 / 59 


OBB 


What do we mean by “personal data”? 


By personal data we mean all information relating to an identified or identifiable natural 
person (hereinafter “data subjects”). 


A natural person is regarded as identifiable if said person can be identified as precisely 
this natural person, in particular through allocation of an identifier such as a name, identi- 
fication number, location data, online identification data or one or more other special fea- 
tures in the particular individual case (e.g. voice). Thus this includes, at the least, the data 
that can be associated with you as a customer. For example, your name, email address, 
telephone number, booking code, ticket code or your customer number are personal 
data. 
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Occasions, purposes and sources from which 
personal data originate as well as our legal basis 


The legal basis of data processing according to Article 6 GDPR comprises either the fulfil- 
ment of the contract, the fulfilment of a statutory obligation, your prior consent or our 
overriding legitimate interests, which may also include processing for a further purpose. 


Data that can be associated with your person can stem from the following occasions, pur- 
poses and sources: 


e If you buy a product from OBB or a cooperating partner or make use of another ser- 
vice (for example purchasing a ticket, buying a customer card, making a reservation 
or using the OBB mobility service). In general, this can be done at ticket vending ma- 
chines, on site at ticket counters or in OBB lounges, by phone through our customer 
service, via one of our external sales partners, online in the ticket shop or using our 
app. 


e If you would like to book a trip via the private OBB account or the OBB business ac- 
count and create or already use an OBB account / OBB business account for this pur- 
pose. 


If your employer (company, school, etc.) or any other third party (e.g. association) has 
opened an OBB business account for you and you have confirmed this account. 


+ If you book a journey through our OBB travel agency. 

e If you book or take out a cancellation/travel insurance. 

e If you purchase an annual ticket or a single ticket for the Tauern motorail. 
e If you register on our website or in our app and create an OBB account. 


e If you use our website tickets.oebb.at or our OBB app for timetable information, to buy 
a ticket or a customer card and use our new services. 


e If we validate your ticket or customer card (i.e. scan and check for validity) 


e If you buy a product from OBB or a cooperating partner through one of our external 
sales partners or on the booking platform of one of our third-party sales partners. 


e If you assert your rights as a passenger or if a penalty fare is involved. 


¢ If you make a request for reimbursement and compensation. Further information in 
connection with the assertion of passenger rights can be found on our website at 


https://www.oebb.at/de/reiseplanung-services/nach-ihrer-reise/fahrgastrechte 
e If there are outstanding debts which have not been paid by a customer. 


e If you contact our OBB customer service with any questions, requests, suggestions, 
complaints, criticism or other comments (e.g. malfunction of a ticket vending ma- 
chine). This includes, among other things, the processing of complaints in the course 
of payment processing, in which case data is either provided by the responsible 
bank / payment service provider or feedback is provided by us to the bank / payment 
service provider in order to process your request. 


e If you use our Chatbot / OBB.Bot for inquiries 


e If we receive feedback from you with regard to our internal quality assurance in order 
to continually improve our service. 


If you use SCOTTY timetable information or a push service or any other additional 
service. 
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e If you use a rental car as a daytime user or commuter. 
e If you avail yourself of our integrated mobility services. 


e If customer cards, annual transport association tickets or other employee credentials 
are misused. 


For statistical surveys and internal risk analyses in order to improve our services or 
systems, in which case the results of these analysis under no circumstances allow us 
to deduce information concerning your person. 


e As required — where possible — if it is necessary to contact you by e-mail or telephone 
and you have provided us with your contact details when booking a ticket (e.g. large- 
scale cancellation of trains or other disruptions, delays and other deviations, espe- 
cially if you have booked a motorail train). 


Provided that we have received your prior consent: for the electronic distribution of of- 
fers and other general news about the OBB Group and its cooperating partners as 
well as information and recommendations tailored to your specific needs for direct 
marketing purposes. 


e If you wish, we also offer location-based services, information and offers in our apps. 


e The delivery of offers for the acquisition of new customers by mail, as long as you do 
not inform us that you do not wish to receive such offers. 


e If you voluntarily participate in pilot projects, usability tests, sweepstakes and other 
campaigns or other customer loyalty measures. 


If you use the contact form on our website to assert a claim regarding personal injury 
or property damage in the event of a train accident. 


If you disclose your data to our train attendants (for example, due to personal injury or 
property damage, theft, or any other incident or concern). 


If a customer under the age of 14 uses OBB-Personenverkehr AG services (e.g. tick- 
ets, newsletter orders, push services), the respective customer must ensure that the 
necessary consent of his or her legal guardian was obtained in advance.. 


If you book a flight and use a passenger train to or from the airport for this purpose 
and we receive data from the airline concerned or its sales partners for this reason. 


Due to the COVID-19 pandemic, legally required as well as voluntary contact data 
collections of OBB customers are carried out, which OBB-PV AG will disclose to the 
competent domestic or international authorities if necessary. 


If we issue a temporary or permanent exclusion from transport services. 


If you book and receive an online consultation from an OBB travel agency or an app 
date at a ticket counter. 


If you book and receive a Schulcard webinar. 


If you participate in one or several pilot projects of the controllers. 


If, as part of the process of issuing a penalty fare or data collection in connection with 
the issuance of an emergency ticket for displaced persons from Ukraine, your ID is 
scanned electronically on the train or at the ticket counter and further processed by 
means of automated systems. Only the necessary data from the ID card will be trans- 
ferred (specific details of the ID card, title, name, date of birth, and, if applicable, the 
name and date of birth of the child, if the child used the train without a ticket). The ID 
card image is transferred only temporarily and is only displayed to the train attendant 
until the data has been cross-checked and confirmed to be correct. 
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Information on data subjects according to Articles 
12 et seq. of the General Data Protection Regulation 
(GDPR) 


Pursuant to the provisions of Article 12 et seq. GDPR, we would like to inform you on the 
following topics: 


OBB-Personenverkehr AG (OBB-PV AG), FN 248742 y, Am Hauptbahnhof 2, 1100 Vi- 
enna, telephone +43 1 93000 0 is the controller under data protection law, as defined in 
Article 4(7) GDPR. 


If you have any questions regarding data protection or the use of your personal data, feel 
free to contact our data protection officer. 


Contact details of the data protection officer: 
OBB-Personenverkehr AG 

Am Hauptbahnhof 2 

1100 Vienna 


E-Mail: datenschutz.personenverkehr@pv.oebb.at 


We will collect personal data ourselves, pursuant to Article 13 GDPR, in the following 
cases and for the following purposes: 


If 


e you disclose your data to our train attendants (for example, due to personal injury or 
property damage, theft, or any other incident or concern). In this case, such data and 
information will be used for the specific purpose of case management as well as for 
conducting legal and official disputes. 


e we collect a penalty fare through our train attendants, where we may scan your ID 
card, or make use of our right to file charges due to non-payment of the amount due; 


* ou assert your statutory passenger rights under Regulation (EU) No. 1371/2007, the 
Railway Transport and Passenger Rights Act or the Fare Conditions and General 
Terms and Conditions of OBB-PV AG and for this purpose use our written refund ap- 
plication form. 


e you make any other request for reimbursement and compensation 
e you avail yourself of our mobility service; 


* you purchase an OBB ticket or customer card in person at a ticket counter, in an 
OBB lounge or from one of our external sales partners, submit a refund application, 
assert your passenger rights (including receipt of a compensation for delays), submit 
complaints, make use of any other services that require the collection of personal 
data (e.g. a change in data or additional data, creation of a customer account, etc.); 


e you contact the OBB customer service to book a ticket or any other service (e.g. 
mobility service, chatbot/OBB.Bot) by phone or contact the customer service for other 
issues (e.g. notification of malfunctions etc.); 


* you open or register for a private OBB account or an OBB business account.. 


* you use the OBB Ticket Shop or the Ticket App for online bookings and trigger an 
electronic payment process (in this case, data must be transmitted to the payment 
service provider for the purpose of payment processing and, if necessary, for risk as- 
sessment); 
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if there is a special entitlement check for a specific product (e.g. in the form of a data 
comparison in the case of products for students offered by a transport association) 


you purchase a customer card; 


you contact one of our employees, our customer service, a ticket counter or train at- 
tendants with criticism or a concern; 


you opt for push services or any other service that we provide; 
you book a service offered by the OBB travel agency; 

you reserve and use the conference rooms of OBB Lounges. 
you participate in sweepstakes and other campaigns; 

you participate in a customer survey or the customer forum; 
you are a Rail & Drive customer and use a car; 

you have registered as a test user for usability testing; 

you have subscribed to the OBB customer magazine Railaxed 
you register for the newsletter (for example at www.nightjet.com); 


you have submitted an affidavit for proceedings by the competition authorities under 
the Unfair Competition ACT (UWG) and have agreed to act as a witness in the course 
of a regulatory dispute, where required 


you have given us your express consent in advance, we will process your data for 
direct marketing purposes in order to send you general information as well as offers 
and services tailored to your individual needs and your mobility and usage behaviour 
by e-mail or SMS or to contact you by telephone. 


If you use the contact form on our website to assert a claim regarding personal injury 
or property damage in the event of a train accident. There will be no further use of 
data for other purposes. Evaluations of a train accident are carried out exclusively in 
anonymous form so that no conclusion about a specific person is possible. 


If you present your ticket or customer card for validation purposes. 


If you provide your data (contact details and other purpose-specific data) for the pur- 
pose of possible COVID-19 contact tracking. 


If we issue a temporary or permanent exclusion from transport services. 


If you book and receive an online consultation from an OBB travel agency or an app 
date at a ticket counter. 


If you book and receive a Schulcard webinar. 


In the following cases and for the following purposes, personal data will not be collected 
by ourselves but will be disclosed by third parties in accordance with Article 14 GDPR: 


If 


you as a customer with an annual ticket want to participate in OBB’s process for com- 
pensation for delays, the competent transport association will send us the following 
personal data in advance every year: 


— Customer data of the buyer and/or user of the annual ticket: salutation, title, first 
and last name, address, country, date of birth (if available), e-mail address (if 
available), telephone number (if available), internal customer number with the 
transport association. 
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Contract data of the annual ticket including areas of validity: fare code of the an- 
nual ticket, number of the annual ticket, number of the primary ticket if applicable, 
number of the old annual ticket, first and last day of validity of the annual ticket, 
date of the last change of data. 


The following data is provided by you yourself when you register: boarding sta- 
tion, exit station, bank details and number of an OBB customer card. 


On this basis, we will calculate any compensation for delay, which will be auto- 
matically transferred to your designated bank account at the end of the period of 
validity of your annual ticket. 


e If you book a flight and take a passenger train to or from the airport for this purpose. 


In this case, the respective airline or one of its distribution partners will provide us 
with the following data: first and last name, flight number and scheduled departure 
time, carriage class, affiliation to a travel group, seat number. Documentation and 
correspondence regarding customer complaints, as required. 


This data will be used for the following purposes: validation of travel documents 
on passenger trains and in the event of operational disruptions (especially emer- 
gencies). 


If we receive data from a bank / payment service provider (e.g. PayPal) for the 
purpose of processing a complaint. In this case, the following data may be made 
available to us: first and last name, transaction code and transaction amount, in- 
voice and processing number, presentation of the facts by the bank and the other 
parties involved, as well as agreements, documents, time of contact. 


e If you as a caregiver and nurse take a special train from Vienna (Schwechat Airport/ 
Vienna Central Station) to Timisoara and back. In this case, BTU Business Travel Un- 
limited Reiseburogesellschaft mit beschränkter Haftung, the controller under data pro- 
tection law, will provide us with the following data: 


Information on the passenger (first and last name, date of birth, nationality and 
number of the travel document, place of origin/region in Romania and telephone 
number) 


Details of the agency and representative in Romania (name and title, address, 
contact details) 


Travel details (carriage and train number, seat number, date, departure and ar- 
rival railway station in Romania, departure/destination (city) from/to Romania, 
means of transport from/to Timisoara Nord railway station) 


This data will be used to process and manage the transport service in compliance 
with the restrictions imposed due to Covid 19. We will not pass on data to third 
parties and will delete it after 14 days. 


The data processed for these purposes is disclosed to the following categories of recipi- 
ents as required and depending on the intended use, ensuring that data is only disclosed 
to the extent absolutely necessary as required: 


To 


e the responsible bank / payment service provider for the purpose of secure payment 
processing in accordance with the legal requirements as well as the payment service 
provider's instructions or for the prevention or clarification of cases of abuse (for the 
purposes of contract execution, Article 6(1) b) and f) GDPR). 


e the regulatory authorities in the case of arbitration (for the purposes of complying with 
the provisions and rights under railway law, Article 6(1) c) GDPR). 
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the assigned legal representative in the event of disputes under civil law (based on 
our legitimate interests in defending legal claims, Article 6(1) f) GDPR). 


the local, competent administrative authority responsible in the individual case (in par- 
ticular also financial authorities, driving licence authorities, the Austrian Regulatory 
Authority for Broadcasting and Telecommunications or trade authorities) for the pur- 
poses of complying with legal provisions and entitlements, Article 6 Para. 1 lit. c 
GDPR. 


the local, competent court responsible in the individual case or other authorities re- 
sponsible in the individual case (based on our legitimate interests that exist in de- 
fence of legal entitlements, Article 6 Para. 1 lit. f GDPR). 


the competent executing contractors providing services in connection with a booked 
journey to the destination and/or at the destination itself (hotels, airlines, partner rail- 
ways, bus or taxi companies or car rental agencies as part of an integrated mobility 

service, local organisers on site, etc.) 


the visa-issuing authorities, as required in the course of long-distance journeys, in 
which case it should be noted that we provide the service of data collection and trans- 
fer to the competent authority in the individual case as a processor within the mean- 
ing of Article 28 et seq. GDPR. Visa and passport data are not automatically stored if 
the procurement of a visa forms part of the order placed by the data subject. Data 
storage is therefore usually carried out by the respective competent visa-issuing au- 
thority, which also assumes sole responsibility for the use of the data it stores. 


the domestic or foreign partner railway, as the case may be, responsible for handling 
the compensation case or the mobility service or in connection with an international 
journey (for the purposes of contract execution, Article 6(1) b) GDPR) 


the debt collection agency assigned by the controller for the recovery of outstanding 
debts based on our legitimate interests in the defence of legal claims, Article 6(1) f) 
GDPR). 


the chartered public accountant for the purpose of auditing (for the purpose of com- 
plying with legal provisions, in particular the applicable corporate law regulations, Art- 
icle 6 Para. 1 lit. c GDPR). 


any affected cooperation partners, as the case may be, in the event of the sale of ser- 
vices provided by the cooperating partner by the controller (for purposes of contract 
execution, Article 6(1) b) GDPR). 


to other companies of the OBB Group or other cooperating partners, in the event that 
you purchase or use a product or service provided by the parties mentioned above. 


our commissioned data processors, if these process personal data on our behalf. 
(Based on our legitimate interests, in particular for the improvement, simplification 
and maintenance of our database systems, Article 6 Para. 1 lit. f GDPR). 


The competent competition authorities for the purpose of conducting antitrust pro- 
ceedings, on the basis of a legal entitlement or a legitimate interest (Article 6(1) c) 
and f) GDPR). 


To Westbahn Management GmbH und Schieneninfrastruktur-Dienstleistungsgesell- 
schaft mbH (SCHIG mbH) for the duration of mutual ticket recognition (general pre- 
ventive reasons under Article 6(1) f) GDPR) 


Bundesrechenzentrum GmbH, in the event that you purchase a special product for 
students from a transport association and an authorisation check is carried out for this 
purpose in the form of a data comparison (Article 6(1) b) GDPR) 


version: 2022.04 
Valid from: 27/04/2022 Page: 13 / 59 


OBB 


domestic and international authorities within the context of COVID-19 contact tracing 
(Article 6(1) a) and c) GDPR). 


Wiener Linien GmbH & Co KG for the purpose of verifying the validity of the ticket 
presented by the data subject in the event that the data subject disputes the accuracy 
of the penalty fare issued by our train attendants (based on our legitimate interests 
consisting in the defence of legal claims, Article 6(1) f) GDPR). 


Our data processing is therefore carried out in particular based on the legal framework 
conditions summarised again below (as amended): 


Regulation EU 2016/679 for the protection of natural persons with regard to the pro- 
cessing of personal data and on the free movement of such data (General Data Pro- 
tection Regulation (GDPR)), in particular Article 6(1) a) (consent), b) (execution of 
contract), c) GDPR (legal entitlement or obligation), f) (legitimate interests) and (4) 
(processing for further purposes). 


Regulation (EU) No. 1371/2007 of the European Parliament and of the Council of 23 
October 2007 on rail passengers’ rights and obligations; 


Federal Act on Rail Transport and Passenger Rights (Eisenbahn-Befoérderungs- und 
Fahrgastrechtegesetz — EisbBFG) 


Federal Unfair Competition Act of 1984 (UWG) 
Trade Regulations of 1994 


Directive (EU) 2015/2302 of the European Parliament and of the Council of 25 
November 2015 on package travel and linked travel arrangements 


Federal Act on Package Travel and Linked Travel Arrangements (Package Travel 
Act) 


Code of Criminal Procedure of 1975, as required 

Introductory Act to the Administrative Procedures Act of 2008 
Administrative Penal Act of 1991 

General Administrative Procedures Act of 1991 


General Austrian Civil Code of Law for all German hereditary lands of the Austrian 
monarchy 


Telecommunication Act of 2003 


Federal Act on General Regulations and Procedures for Fees Administered by the 
Tax Authorities of the Federal Government, Regional States and Municipalities (Fed- 
eral Fiscal Code, BAO) 


Federal Act on Special Regulations of Civil Law for Companies (Austrian Commercial 
Code, UGB) 


Fare Conditions and General Terms and Conditions of OBB-PV AG, incl. the Guide 
for travelling with OBB in Austria, as well as any other general terms and conditions, 
contractual agreements and obligations that may apply. 


Terms of participation in the case of projects or special services. 


Federal Act of 21 January 1959 on Liability for the Compensation of Damages from 
Accidents in the Operation of Railways and the Operation of Motor Vehicles (Rail- 
ways and Motor Vehicle Liability Act; Eisenbahn- und Kraftfahrzeughaftpflichtgesetz — 
EKHG) Federal Law Gazette No. 48/1959 as amended. 
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e Federal Act on distance sales and contracts concluded outside of business premises 
(FAGG) Federal Law Gazette | No. 33/2014 in this version Federal Law Gazette | No. 
83/2015 as amended. 


e Federal Act of 8 March 1979 laying down provisions for the protection of consumers 
(Consumer Protection Act; Konsumentenschutzgesetz — KSchG), Federal Law Gaz- 
ette No. 140/1979 as amended. 


e Federal Act on the Restructuring of the Legal Relationships of the Austrian Federal 
Railways (Federal Railway Act; Bundesbahngesetz), Federal Law Gazette No. 
825/1992 as amended. 


e EU Directive on Payment Services in the Internal Market, amending Directives 
2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No. 1093/2010, and 
repealing Directive 2007/64/EC (PSD2) 


e COVID-19 laws and the ordinances and decrees issued in connection therewith. 


We do not intend to transmit personal data to third countries or to an international 
organisation. 
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Storage period 


In general, personal data are only stored by us to the extent that this is absolutely ne- 
cessary and in principle are deleted following expiry of the statutory period of limitations 
under civil law of three years (e.g. customer correspondence) or in the case of invoice-rel- 
evant data, after ten years (e.g. booked tickets, customer cards) in accordance with § 212 
UGB or §§ 132 et seq. BAO. A longer storage period is only implemented in justified indi- 
vidual cases, for example as a result of an ongoing civil law or regulatory dispute. 


Specifically, we would like to emphasise the following various subject areas: 


For invoice-relevant data based on other ticket purchases, the acquisition of cus- 
tomer cards, booked journeys, applications for reimbursement, fare recovery claims, 
including scanned ID cards, or the rental of a car, etc., such data shall be stored for a 
period of ten years. The longer storage period serves to ensure that OBB-Personen- 
verkehr AG can fulfil its legal obligations to provide evidence in the event of a pos- 
sible financial audit (§ 209 (5) BAO). 


Other than this, we save data that can be assigned to you for a period of three 
years, such as customer correspondence, use of other services (e.g. mobility service, 
validation data, push services or any other service forming part of our integrated mo- 
bility offering), merely taking part in sweepstakes, campaigns or customer surveys. 


We will record you as a test user or subscription customer, if you have specifically 
registered for this. In the event of unsubscribing, such data will continue to be stored 
for a period of three years. 


We store timetable connections without tickets as long as you wish to see this in- 
formation on your home page. If you delete it from the home page, it will also be de- 
leted from our servers. 


We will remember information relating to relevant tips and information displayed 
by our software for as long as your OBB account exists or until your browser history is 
deleted. This is the only way we can guarantee that we will not provide you with irrel- 
evant tips or tips that are displayed several times. 


Revocation of a declaration of consent or assertion of an objection to direct 
marketing pursuant to Article 21 et seq. GDPR (blacklist): deletion of this information 
may not occur, since we keep this as a negative list and thereby ensure precisely that 
you do not receive any advertising offers from us. 


Data on the affidavit submitted by you will generally be retained and stored for three 
years, or as required until completion of the legal dispute. 


Information to customers pursuant to § 20 (3) of the Railway Transport and Pas- 
senger Rights Act is retained for a period of 18 months. 


Personal data that you have disclosed to us via the website for the purpose of hand- 
ling personal injury or property damage shall be stored for a period of one year. A 
longer storage period shall only be implemented in the event of a longer lasting dam- 
age settlement (conducting legal or regulatory disputes). 


Personal data that you disclose to our train attendants for the handling of personal in- 
jury or property damage, theft or other incident or concern will be stored for the dura- 
tion of processing and for an additional three years until completion of case handling. 


In the event that personal data is disclosed when using the chatbot / OBB.Bot, it will 
be stored for a period of 30 days. 
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e Data processed based on a legal or regulatory dispute will be kept available for a 
period of 30 years and may only be inspected and processed by certain employees. 


e Personal data disclosed to us by the operating airline or its cooperating partner will be 
deleted from the relevant subsystems after one month, where they relate to personal 
data for the validation of travel documents on a passenger train. Otherwise, data will 
be kept available for three years for the purposes of handling legal or regulatory dis- 
putes. 


e Personal data collected in the context of COVID-19 contact tracing will be automatic- 
ally deleted or properly destroyed within 30 days from the date of collection at the 
latest. 
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Your rights 


(1) Rights of data subjects 


As the data subject in the individual case, you are entitled to assert the following rights 
of data subjects with us if we are the controller for the data processing: 


a. Right of access (Article 15 GDPR) 


You have the right to request information on which personal data are collected about you 
and held by us. 


b. Right to rectification and deletion (Article 16 GDPR) 


You have the right to rectify any incorrect data concerning your person (e.g. spelling mis- 
takes). 


c. Right to erasure (Article 17 GDPR) 


You have the right for personal data to be deleted, provided such deletion is covered by 
the cases set out in Article 17 GDPR, for example if we were to wrongfully process data. 


d. Right to restriction (Article 18 GDPR) 


You have the right of a data subject to demand that the controller restrict the processing 
of personal data about you if the requirements under Article 18 GDPR are present. 


e. Right to data portability (Article 20 GDPR) 


You have the right of a data subject to receive the data provided by you in an interoper- 
able format. 


f. Right to object (Article 21 GDPR) 


You have the right of a data subject to raise an objection to data processing, provided the 
requirements of Article 21 GDPR are present. 


If you wish to assert a data subject right, please contact us. To do so, the following con- 
tact options are available to you: 


Contact details customer service: 

OBB Customer Service 

(Subject: assertion of rights of data subjects) 

Postfach 222 

1020 Vienna 

E-Mail: datenschutz.personenverkehr@pv.oebb.at 

Please include the following information in your request: 


¢ A copy / scan of your official photo identification stating your date of birth (e.g. identity 
card, driver’s licence or passport) and 


e if you have an existing customer account, the email address registered with us. 


We require this in order to verify your identity before we are able to answer your request 
or make the necessary arrangements. This verification of identity means that we can de- 
termine your actual characteristic as a data subject, so as to ensure that personal data is 
not disclosed to unauthorised third parties (risk of abuse). 


Once we have received your request and you have proven your identity, we will respond 
to your request within four weeks.. In the event that we have specific questions as part of 
the reply, we will contact you and ask you to cooperate and assist. 


(2) Complaint 
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Furthermore, you have the right to submit a complaint to the data protection authority, 
according to §§ 24 et seq. DSG [Data Protection Act] and Article 77 et seq. GDPR if you 
believe that we have breached obligations under the General Data Protection Regulation. 


Contact data: 

Austrian Data Protection Authority, 
1030 Vienna, Barichgasse 40-42, 
Telephone: +43 1 52 152-0 
E-Mail: dsb@dsb.gv.at 


www.dsb.qv.at 
(3) Withdrawal of consent 


If you have granted us your consent to the processing of your data for a specific purpose, 
you have the right to revoke your consent at any time without providing reasons. We have 
described the method for exercising the right of withdrawal in the Chapter “Direct market- 
ing — General and personalised advertising offers”. 
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All you need to know about data collection in the 
context of COVID-19 contact tracing 


Due to special domestic and international legal provisions, OBB-Personenverkehr AG is, 
in certain cases, obliged to collect data of passengers and to forward them to the compet- 
ent authorities in Austria and abroad upon request. In other cases, OBB-Personenverkehr 
AG tries to contribute to the containment of the COVID-19 pandemic by voluntarily col- 
lecting data. We will, of course, treat the data you provide as confidential and use it ex- 
clusively for any necessary tracing of infection chains in the event of a request or specific 
legal obligation. Contact tracing in case of an incident serves the purpose of containing 
the pandemic, i.e. of protecting your health and that of other passengers. 


In all cases, data will be deleted by OBB-Personenverkehr AG or any partner involved 
after 30 days at the latest. The legal basis is Article 6(1) c) and Article 9(2) i) GDPR, i.e. 
the specific domestic and international special legal provisions which serve to ensure na- 
tional and international protection and hygiene concepts for the containment of serious 
health hazards, including transnational health hazards, and, in certain cases, the consent 
granted by you under Article 6(1) a) GDPR. 


A legal obligation exists in the event of a visit to the OBB lounges. 


The following data is collected for this purpose: First and last name, telephone num- 
ber (optional), e-mail address, day and time of visit to the lounge, table number (in 
case the physical list is used), location of the lounge and date of birth (optional) 


For this purpose, forms will be provided in the lounges, which you are kindly reques- 
ted to fill in correctly and hand over to the competent OBB staff member. 


Alternatively, you can also enter your data in an online form. To do this, please scan 
the QR code provided on site. After entering your data and confirming it (i.e. by click- 
ing on the confirmation e-mail we send to your e-mail address), you can use the OBB 
Lounge. The requested confirmation serves as a security measure to ensure that no 
unauthorised third party can disclose your e-mail address as a tracking address. 


* On OBB passenger trains, a voluntary passenger list is available. 


e In this case, there is no legal obligation. You, as the data subject, provide this data 
voluntarily. 


e For this purpose we provide customers with an electronic form. After initial data entry 
and confirmation (i.e. by clicking on the confirmation e-mail we send to your email ad- 
dress), you will receive a message which will allow you to indicate further journeys or 
to revoke your consent, if applicable. 


e In this case, the requested confirmation also serves as a security measure to ensure 
that no unauthorised third party can disclose your e-mail address as a tracking ad- 
dress. 


¢ For the passenger list, the following data is collected: First and last name, telephone 
number (optional), e-mail address, date and time of consent or revocation, notification 
whether it is a commuter trip, mandatory information on the trip: date, time, station of 
departure and destination, optional information on the trip: train number, wagon num- 
ber, seat number and date of birth (optional) 


Due to specific legal obligations in the Federal Republic of Germany, contact data is also 
collected on long-distance trains to Germany if the on-board restaurant is used: 


¢ The data is recorded either in paper form or electronically. To this end, flyers are laid 
out on the tables of the on-board restaurant. 
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¢ The following data is collected if you use the on-board restaurant: first and last name, 
telephone number, e-mail address, address data (street, town, postal code and coun- 
try), train-related data (train number, wagon number), information on accompanying 
persons from the same household. 


e If data is collected in paper form by filling out the form, OBB-Personenverkehr AG’s 
on-board restaurant partner Donhauser GmbH (DON) shall ensure safe custody and 
proper destruction of the data. 


e If data is collected electronically by means of a QR code, then data is collected and 
stored in the IT systems of DB- Fernverkehr AG, which, if necessary (i.e. in case of a 
request), will disclose the data to the competent German health authority. 
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What personal data is essentially involved when 
you purchase a ticket or customer card from us 
online or avail yourself of any other of the services 
we offer? 


With regard to your person we store the following data in particular: 


Name 


Date of birth if disclosed to us or if required for our products and services. If you store 
children as passengers, we will always ask for the date of birth. Given that the age 
limits are different for our transport association partners and international partner rail- 
ways, this is the only way we are able to offer you the right ticket. 


Age of the child, but always only for the current ticket purchase. As soon as you try to 
bookmark a child locally in the OBB app, we will ask for the date of birth. This is the 
only way the right ticket can be offered again for any subsequent purchase. 


Colour for bookmarked passengers 
Colour and personal data for ME, if indicated 
Discount cards that you have disclosed to us 


Number of a customer card if a card purchase can be assigned to your OBB account. 
We do not store such information for travel companions. 


Assignment to a private OBB account or OBB business account 

Assignment to a customer type (private or business customer) 

In the business area: Assignment to a specific legal person or other third party 
Passenger (adult/child/young person) 


Information on journeys and mobility restrictions if you wish to save such information. 
This allows you to search automatically for transport connections for people with re- 
duced mobility in your next ticket purchase 


If you wish to deliberately bookmark family discount cards for transport authorities, we 
shall store them. We will also store relevant family relationships, allowing us to apply 
the family rate of the transport association to the next ticket purchase 


We will store the following timetable settings: 


Request for direct connections 

Request for extended transfer times 

Request for accessible connections 

Request for exclusive use of train or regional train connections 
Request for transport with option to carry a bike 


Request for a timetable connection with an indication of an intermediate stop and re- 
quested length of stay at the intermediate stop 


We store the following other settings: 


Requested language 


Request to receive a ticket automatically as a mobile ticket on your mobile device 
upon purchase 
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e Animations on/off 
We store the following data centrally: 
e Data concerning the shopping basket 
¢ Information on the frequent use of our website or app or 


e Information for suggestions on frequently searched connections. 
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All you need to know about OBB customer cards 


We have a wide range of customer cards on offer. Whether you are looking to travel at 
reduced prices, explore Austria all year round without the stress, enjoy regular family ex- 
cursions or travel for business purposes, there is a customer card to suit you. 


When ordering an OBB customer card (Vorteilscard, Osterreichcard), you will be required 
to provide your personal data. In particular, this includes personal details such as your 
name, date of birth and address and, in the case of a SEPA mandate, your bank details 
(IBAN and BIC). Providing a telephone number is optional and allows us to contact you if 
we have any questions. The above data will help us to personalise the customer card and 
are processed by OBB-Personenverkehr AG to complete your order. Entering your per- 
sonal data is mandatory when ordering a customer card. Failure to provide the details 
mentioned above may result in you being refused a customer card (provision of a tele- 
phone number is optional). 


You will need an OBB account to order online or via our OBB app. This requires you to 
enter an e-mail address and password. This information will be saved. 


Customer cards are produced by a reliable contractor. We take great care to ensure data 
are transmitted securely to the contractor. Data are exchanged in encrypted form only, 
and access to them has been reduced to the minimum necessary extent. 
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All you need to know about the validation of 
customer cards, as well as annual and other tickets, 
including boarding passes (Airrail passes) 


During the journey, our train attendants will validate (i.e. scan and check for validity) your 
customer card, annual ticket and/or ticket or your boarding pass (Airrail pass), for which 
OBB-PV AG or one of our cooperation partners (e.g. Federal Ministry for Climate Protec- 
tion, Environment, Energy, Mobility, Innovation and Technology (BMk)) is responsible. 
Due to the temporary recognition of tickets issued by Westbahn Management GmbH, 
these tickets are also validated by our train attendants. 


When scanning, only those data are visible on the train personnel’s device which can be 
found on your customer card or the ticket (e.g. card number, card validity, name of card 
holder, card type and comfort class, departure and arrival time, train number, boarding 
and exit station). When travelling on a passenger train using an authorisation issued by 
Westbahn Management GmbH, the URL contained in the QR code and therefore the 
ticket code and ticket number are scanned. In the case of our customer cards, the date of 
birth of the card holder is also displayed on the train crew’s device in order to facilitate 
identification. Our train attendants also receive information on whether the customer card 
or ticket was valid at the time of validation. The following data is collected when your 
boarding pass (Airrail pass) is validated: Name, operating carrier's PNR code (= order 
number), airport code, operating carrier’s designator (corresponds to the RICS code for 
railroads, i.e. the identifier of the transport company), flight number, date of the flight, 
compartment code (travel class) and the document form/serial number (= ticket number) 


Scanning allows for an electronic control of cards and the ticket (as opposed to a purely 
visual inspection) and in particular makes it possible to withdraw manipulated or wrongly 
used tickets or cards (for example if the validity period has already expired) from circula- 
tion. 


Moreover, data are collected for our train staff, i.e. which employee performed validation 
when, where and how. Our train attendants are only able to view validation data for a lim- 
ited amount of time. 


We do not automatically analyse possible movements of our customers. An evaluation of 
the existing data material is carried out in individual cases if a data subject should request 
this information as part of his or her request for information under Article 15 DSGVO. 


Validation is based on two different legal principles of equal value, i.e. (1) on the contract 
of carriage concluded with you, i.e. Article 6(1) b) GDPR, and (2) on prevailing legitimate 
interests, as defined in Article 6(1) f) GDPR, which consist of the performance of a neces- 
sary authorisation check, removal from circulation of customer cards and tickets which 
are no longer valid, as well as preventing additional cases of abuse (general prevention) 
and compliance with contractual obligations. For the duration of the recognition of their 
tickets, Westbahn Management GmbH and Schieneninfrastruktur-Dienstleistungsgesell- 
schaft mbH (SCHIG mbH) will pass on the following data for the aforementioned general 
preventive reasons: Train number, time of validation and details of the scanned QR code. 


version: 2022.04 
Valid from: 27/04/2022 Page: 25 / 59 


OBB 


All you need to know about your customer account 


Private OBB account 


In order to use all functions of our website and app, you can register, and we will create 
an OBB account for you. This means you will use all your stored data independently of 
devices and browsers, and simplify and accelerate timetable queries and ticket purchase. 


In order to create an OBB account, we will need at least the following information: e- 
mail address, password, salutation, your first and last name and your date of birth. 


Following data entry and registration, you will receive an e-mail from us, to confirm your 
e-mail address and activate the OBB account. Once you have confirmed the activation 
link, your OBB account will be active. The next time you log on, existing local data will be 
transferred onto your OBB account if you consent to this process. 


In order to make use of additional benefits for your OBB account or to buy a personal- 
ised product, such as a customer card, we need additional personal data from you, i.e. 
your date of birth and address, optionally also your title and phone number. This allows 
us to offer you products tailored to you. We will send your OBB customer card in credit 
card format by post and remind you of any renewal in a timely manner prior to expiry. 


Your OBB account facilitates comfortable and quick ticket purchase without repeated 
data entry, by storing your payment data as favourite payment methods.. 


e Your payment data will be stored by our payment service provider, who processes 
your payment data using the international PCI DSS standard. If you have stored sev- 
eral favourite payment methods, we recommend the last used favourite payment 
method for your next ticket purchase. Of course, you can change the method of pay- 
ment during the ticket purchasing process. 


e You can delete bookmarked payment options at any time. 


OBB business account 


In order to use our business services (website and app), business customers can create 
a business account. For example, you can register your company as a corporate cus- 
tomer and we will create an OBB business account for you. 


This allows you to use all your stored data independent of devices and browsers and sim- 
plifies and accelerates timetable enquiries, ticket purchases, company structure manage- 
ment and the report function. 


It's as simple as this: name an administrator from your area who will handle the initial re- 
gistration. For an initial registration, we need at least the following information: e-mail 
address, password, salutation, your first and last name, company name, address and an 
industry selection. 


After entering the data and registering, the named administrator receives an e-mail from 
us to confirm the e-mail address, initiate the plausibility check and activate the OBB busi- 
ness account. Only after a positive plausibility check will the payment on account and the 
business tariff be activated. As soon as you confirm the activation link, your OBB busi- 
ness account is active. 


In order to use or manage further advantages of the OBB business account, we option- 
ally need additional data, such as: the structure of the company, employee names, e- 
mail addresses, employee role authorisation, employee discount cards, etc. This enables 
us to offer your employees or other persons assigned to the OBB business account relev- 
ant products. 
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The OBB business account also enables a pleasant and fast ticket purchase without re- 
peated data entry by adding payment data in the administration. Payment data will be 
stored by our payment service provider, who processes your payment data using the in- 
ternational PCI DSS standard. The stored means of payment can be deleted at any time 
by persons who have received the corresponding authorisations by you. 


For existing business customers, OBB-Personenverkehr AG offers webinars covering 
customer safety at the station and on the train. OBB-Personenverkehr AG shows what 
the company does for the safety of passengers and demonstrates how customers can 
also pay attention to their own safety. In addition, the various options for travel insurance 
are presented and explained. 


The invitation to the webinar, including the invitation link, is sent by e-mail to the e-mail 
address provided by the business customer. For the avoidance of doubt: this is a training 
and information event, and the webinar does not include any promotional content. 


If you use the Wegfinder app provided by our partner iMoblity GmbH to book a ser- 
vice (e.g. to purchase a ticket to travel to a congress), iMobility GmbH will provide us with 
your name, date of birth, wheelchair yes/no, discounts, travel preferences, booking de- 
tails and the organizer’s business account ID, so that we can issue the ticket. 


The individual bookings as well as any payments take place in iMobility GmbH’s 
Wegfinder app. The data on CO? savings is compiled and made available to the respect- 
ive organizer of the booked service without personal reference. 


For selected partners (Easy Tex), the business account can also be used as a service 
for customers. For this purpose, the partner uses a business account, in which the book- 
ing and billing takes place. 


Personalisation 


You have the possibility to personalise your OBB account, by bookmarking yourself as 
ME and choosing a colour for your profile. Your customer account will be displayed in the 
colour that you have personally selected with immediate effect. 


In the event that you no longer want to use your OBB account, you have the option of 
closing the OBB accountagain. 


e Your registration will be cancelled and your access data, e-mail address and pass- 
word deleted. 


* Depending on the intended use, some of this data may have to be stored for up to 
seven years (due to statutory requirements). 


e Once deleted, your e-mail address or customer number can be immediately used to 
create a new personal customer account. 


* Stored journeys and settings for the deleted OBB account cannot be restored. 
e Every new account is created using default system settings. 


e If you close your OBB account, we will advise you separately of stored future journeys 
for which you have purchased tickets. You can still close your OBB account. You will 
then receive purchased tickets via the link “Receive tickets” in your e-mail confirma- 
tion of purchase. 


If you do not use your OBB account for longer than one year, we will automatically send a 
reminder to the e-mail address that you have disclosed. You will then have two weeks to 
log onto your OBB account. We can close your OBB account automatically if you fail 
to use this account for a longer period, given that in this case we assume that you 
no longer want to use it. 
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All you need to know about the OBB Ticket Shop 
and OBB App 


We have set ourselves the goal of allowing you to: 
e easily use our Ticket Shop; 


* as a business customer easily make ticket bookings in relation to your respective 
company structure; 


e quickly receive your timetable and tickets; 
* only receive relevant information on your journey; and 
e gladly use our website and our app. 


Our website tickets.oebb.at and our OBB app offer services customised to your personal 
needs, which simplify ticket purchase. 


Transport association tickets can be purchased throughout Austria based on the 
timetable. In order to do so, simply enter the start and end point of the journey, and you 
will receive the right timetable and the associated OBB or transport association ticket. 
You can purchase tickets without needing to know all the individual fares in advance, be it 
for the bus, railway or tram. 


for simple selection of the start and end point bookmarks your most recent entries. Your 
timetable query will therefore proceed more quickly the next time. Registered users can 
use this service on all sales channels and devices when logged in. Regardless of whether 
you book your journey on a computer on the Internet or using the OBB app on your mo- 
bile phone, with a logged-in OBB account we will store your last start and end point 
entries and offer you them for selection in your top station hits. 


Recently searched timetable connections are provided for you in the future timetable 
search as a personal quick selection. 


e This means you are able to access your regular timetable queries for the next ticket 
booking without having to enter the start and end point of your journey. 


° If you make a timetable query, we will store the start and destination location (and the 
intermediate stop, if any) of your travel request for this purpose. In addition, we will 
store details on whether you have searched for a timetable connection for an offer for 
individual tickets or day passes, or for weekly or monthly passes, or for a seat reser- 
vation without a ticket. 


e This means that you can access your regular timetable queries for the next ticket 
booking, even without selecting the start and end point of your journey. 


e In this context however, we will not store your current location. 


Using the function “bookmark person”. 


* you can store data for all persons with whom you regularly travel. This means you 
can quickly add them to your journey for the next ticket purchase. This saves you 
having to re-enter data, such as names or numbers of necessary discount cards for 
ticket purchase. 


* you can store data for all persons with whom you travel regularly. You can store the 
name, any discount cards and the date of birth of children and elderly people. This 
means you can quickly add these persons to your journey for the next ticket purchase 
without having to enter such data again. If you wish, you can also assign a colour to 
your passengers. 
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e You can store data on your employees or other persons assignable to you and assign 
them to a business unit. This gives you a better overview of your accounting and 
makes it easier to book tickets for stored persons. 


If you wish, when bookmarking your own travel data, you can then advise us that this per- 
son is you. We will then store this information for your next journey as ME. 


With immediate effect we will give consideration to your “ME” for your future journeys 
in each bid preparation, with names, discounts, colour, and, if desired, date of birth. 


Each new journey that you book automatically has “ME” as the passenger. Then all 
you have to do is add any other passengers. 


If you ever buy a ticket for someone else, simply remove “ME” as a passenger for this 
journey. 


If you have added a discount card, for example a Vorteilscard, to your ME, you will 
immediately receive pricing information, including the relevant discount, for your fu- 
ture timetable queries. 


These data will be stored in the local memory of your computer or in the app if you 
use our applications without an OBB account. 


If you have an OBB account and use our services while logged in, these data will be 
stored centrally and can thereby be used across sales channels. 


We store the route for your ticket purchase. This means you can check whether the 
travel data have changed in the journey preview at any time. If we are aware of a different 
updated timetable, we will display this. We will delete the planned time from the timetable 
and replace it with the actually forecast time. We aim to keep you informed as far as pos- 
sible at all times, allowing you to react to changes in travel data in good time. 


Shortly before the start of the journey, the journey preview for your booking will become 
your personal travel companion. We will then advise you of the next relevant actions to 
your journey, for example: “Change trains in 10 minutes.” 


You can always find the offer with the best price as the first offer on our website 
and in our app. If there is an additional offer for your travel request, which offers more 
flexibility in travel time or the refunding of tickets, we will advise you of this alternative. 
You can decide whether price or flexibility is more important to you for each journey. 


You can cancel a purchase within 3 minutes of payment at tickets.oebb.at or in the 
OBB app. This is only possible if you have not yet acquired your travel card in the form of 
a ticket. You can subsequently return to the shopping basket and make retrospective 
changes to your purchase. 


You can buy your ticket quickly with 2 clicks, by registering and storing your payment 
data in your OBB account. Set up a quick display of the requested offer on the home 
page and this function can already be used. We store your offer request for the requested 
timetable connection (e.g. best price, reservation request, requested travel class, number 
of passengers). Then, all you have to do is place it in the shopping basket with a click, 
and pay with a second click. 


Store special timetable connections as favourites if you regularly travel on the same 
route with the same preferences. This includes: 


e Other passengers 
e Selected timetable filters, such as “only direct connections” or “changed transfer time” 
e 1st class journeys 


e Request for a seat reservation 
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e Journeys on certain weekdays 


We only bookmark these data at your intentional request. This favourite is located on 
your personal home page and allows you to directly display timetable or offer information 
with one click when opening the application, without having to indicate data again for the 
current purchase or timetable request. 


If you place your favourites on the home page, we will store your travel request. 


e You can enter this connection info manually and thereby set timetable filters, passen- 
gers and notice days. 


e If you are registered, this connection info for your journey will be visible on all re- 
gistered devices (regardless of whether mobile phone or Internet browser). This 
means you will find timetable data on your regular journeys on your home page 
whenever you open the app or website and you will quickly access the next timetable 
connections for your individual travel request. 


But you can also store connection information as favourites for a specific timetable 
connection. In this case, you can use an additional practical service with location determ- 
ination: “Only display if | am near the target destination and display the start if | am near 
the start location” 


We also automatically create a selection for you based on your frequently searched 
and purchased routes and products, in order to allow you to make purchases faster. If 
you do not want a particular route or product to appear in this list, you can remove it by 
clicking on the options menu (three dots). 


For a specific journey we always bookmark the name of the person printed on tickets. 
This means we can be certain that a ticket is not used several times by different persons 
with fraudulent intent. As a result, please carry your photo ID for the ticket with you, 
to allow train staff to check on the correct use of the ticket on site. 


If you are travelling with children or young people, we will bookmark the age of the 
children. The children’s age limits differ in individual transport authorities and countries. 
Only if we know the age of your children can we determine the right price for the ticket 
purchase and create the best offer for you. We are obliged to store the date of birth for in- 
ternational travel. 


We will provide you with all known information about your journey. In this way, you 
will have the most detailed and current information about your journeys and are able to 
respond to changes on time. Your travel companion in the OBB app and website has the 
latest information for you at all times: 


e where you have to transfer next; 
e how much time is left for transfer; 
e whether the timetable connection or 
e the platform has changed. 
Your location information will only be used in the OBB app if you share it with us. 
e By switching on location services, you can save time in the timetable query. 
e This allows you to search for a connection from your current location. 


e f you have stored a timetable or offer favourite, and selected the option that you 
would like the return journey to be displayed to you based on location, we will only 
use your calendar in the OBB App if you share it with us. 


¢ If you enter your journey in the calendar, metable data for a booked journey will be 
imported into your calendar. 
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e In order to do so, you will have to allow the OBB App access to your calendar in the 
device settings. 


By payment information we mean information that we require for processing the pay- 
ment. As a matter of principle, we will never store any payment information, such as 
credit or debit card numbers, expiry date, the card validation code (CVC) or user account 
and password data. We will only store payment information to a limited extent, namely 


e if we are unable to process a cancellation automatically and instead have to wire the 
cancelled amount subsequently (in such an event, we store the name of the applic- 
ant, IBAN, BIC, the name of the bank as well as the address (postal code, town/city, 
country, street and street number); 


e in case of a specific booking, we will store the payment method (PayPal) or card type 
(VISA, MasterCard, etc.) and the last 4 digits. 


In all other cases, payment information (e.g. expiry date or the card validation code 
(CVC)) will be processed and used by a tested and certified payment service provider 
(Terminal Service Provider and Payment Service Provider). 


n order to handle the payment process, we employ tested and PCl-certified payment 
service providers who process and use the payment information (e.g. CVC code or ex- 
piry date) to complete the booking. Data will be processed only for the purposes of com- 
pleting payments on certified payment terminals (e.g. ticket vending machine, ticket 
counter, etc.) or at tickets.oebb.at or via the OBB app. These payment service providers 
are usually independent entities and therefore process your data in accordance with their 
own privacy policy. 


In order to clearly authorise a payment, the payment service provider will require various 
pieces of information from us, such as e.g. identification data for browser and operating 
system type, which are saved by us and forwarded to the payment service provider for 
processing the payment. 


The European Banking Authority (EBA), Regulatory Technical Standards (RTS) and the 
revised Payment Services Directive (PSD2) prescribe strict authentication methods for 
combating online fraud. PSD2 aims at preventing online fraud with strict customer au- 
thentication rules applied to an increased number of transactions. 


o-called Strong Customer Authentication (SCA) is an obligatory part of PSD2 and en- 
sures a high level of customer protection and increased payment security. SCA is there- 
fore required whenever you, the customer, start an electronic payment process or per- 
form a transaction that poses a risk of payment fraud or other misconduct. In this case, 
you will be required to complete an identification process by providing a password and 
another identification factor as determined by the payment service provider. In certain ex- 
ceptional cases, this authentication can be dispensed with. The decision to apply SCA or 
dispense with authentication rests with the payment service provider. 


We are required to provide the payment service provider with the relevant data requested 
in order to secure your payment transaction. 


More information on this can also be found on the payment service provider's own web- 
site. 


For the purposes of payment risk management, as required in the specific case and as 
part of the purchase transaction, personal data may be transmitted in the absolutely ne- 
cessary extent to the payment service provider, which then uses this data to conduct a 
risk assessment. Payment-related data will also be consulted for anonymised analyses. 
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The OBB App is distributed via the Apple App Store and the Google Play Store (here- 
inafter referred to as “Store”). Inclusion, distribution and use of the OBB App is therefore 
additionally subject to the separate conditions of these two stores, over which we have no 
influence, and which are compiled and asserted at the sole responsibility of the stores. 


When using our website tickets.oebb.at or our OBB App, data on your ticket purchase will 
be stored by Html storage in the web browser or in local storage on your mobile 
phone. This ensures that all functions, such as “bookmark person” or personalised fast 
selection can also be used if you wish to use our software without registration. We will 
only store personal data for quicker processing of future purchases if you wish us to do 
so. 


We would like you to learn the full scope of functions of our software. For this purpose, 
we have made sure that you will receive practical tips and information from us at an 
appropriate spot. We want to provide you with relevant information and not continually re- 
peat this. This is why we store functions used by you for a maximum period of 18 months. 
As a result, you will always receive the right (not yet known to you) information in different 
web browsers and on different devices with the OBB App. 


If you do not want us to store this information about your person, use our website or our 
OBB App without logging on. This means we will not be able to assign this information 
to your person. 


Even if we store this information about your person, we will not conduct any personal 
analyses. We shall only use this information in anonymised form to identify any need for 
adjustment in our systems. This allows us to continually improve our applications and 
provide optimal support to our customers. 
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Ticket sales by third parties (via external booking 
platforms) 


We have expanded our distribution channels for you. This means that you can now also 
find our connections on partner platforms and can, in part, also book your ticket directly 
on the platform of our partner. If the booking is made through a partner, we exchange 
only the schedule and ticket information with the partner that is required for the creation 
of the ticket. The respective partner is responsible for the protection of the data pro- 
cessed on the partner platform of the partner. 
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All you need to know about the integrated mobility 
service 


OBB Shuttle 


In certain municipalities throughout Austria you can book a fast and comfortable shuttle 
service to your destination (OBB Shuttle). The OBB Shuttle Service picks you up directly 
from the train station, takes you to the hotel selected during the booking process and also 
takes you back to the train station on your day of departure. 


When booking a ticket for a specific train journey (i.e. booking a ticket to your destination 
and back), you will automatically be offered the OBB Shuttle Service if this service is 
available at your destination. If you would like to avail yourself of this service, you can 
book it together with your train ticket as part of a booking process. Detailed provisions 
concerning the OBB Shuttle can also be found in the Guide for travelling with OBB in 
Austria. 


The driver of the transfer vehicle (bus or taxi company) will be waiting for you at the sta- 
tion or, in case of return, in front of the selected hotel. The transfer service is provided by 
our cooperating partners (currently OBB-Postbus Gmbh). 


In order to use this transfer service, the following data is collected during the booking pro- 
cess: first and last name, place of collection and destination, number of persons to be 
transported, data for validation, price and chosen method of payment. 


In order to provide the transfer service, the aforementioned data will be passed on to the 
cooperating partner (currently OBB-Postbus GmbH) in the case of a booking and by the 
cooperating partner to the third party providing the service (e.g. local taxi companies at 
the destination) in the event that the cooperating partner does not provide the transfer 
service itself. 


OBB-Personenverkehr AG (as far as the train service is concerned) as well as the indi- 
vidual cooperating partner or the third party commissioned by the cooperating partner (as 
far as the transfer service is concerned) shall carry out this service under their own re- 
sponsibility under data protection law. As a consequence, you must in particular exercise 
your claims/rights under data protection law (e.g. a request for information under data 
protection law) against OBB-Personenverkehr AG as well as against the respective co- 
operating partner and commissioned third parties. 


If you wish, we will also be happy to forward enquiries to the cooperating partner or to the 
commissioned third party. 


Rail & Drive service 


In order to enhance the mobility chain within Austria, OBB Rail&Drive cars are made 
available at selected OBB train stations. This car sharing offer is available to all re- 
gistered OBB Rail&Drive customers. 


To register, please use the OBB Rail&Drive website https://www.railanddrive.at/ The veri- 
fication process can then be completed at selected sales offices of OBB-Personen- 
verkehr AG (i.e. OBB ticket counters, OBB travel agencies and OBB lounges). The ap- 
plicable sales offices are published on our website and can be accessed via the following 
link: https://www.oebb.at/de/reiseplanung-services/am-bahnhof/last-mile.html Alternat- 
ively, you can also carry out the entire registration process at these locations. For this 
purpose we provide computers and tablets at selected sales points. This allows you to 
start the registration process and/or complete the verification process on site. Disclosure 
of the following information is required to use the Rail&Drive service: driving licence data, 
first name, last name, address, date of birth. Please make sure that you are able to verify 
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the information you have provided by means of appropriate evidence on site. In particu- 
lar, it must also be ensured that the driving licence issued to the customer in question 
was issued in a Member State of the European Union. A physical and/or digital copy of 
the driving licence is made on site. The collected data is kept for a period of one week 
and then deleted or destroyed. 


OBB-Personenverkehr AG will forward the collected data and documents electronically to 
Rail Equipment GmbH & Co KG, which is responsible for this service under data protec- 
tion law. In this case, OBB-Personenverkehr AG acts as the processor for Rail Equipment 
GmbH & Co KG. 


Your data protection claims with regard to the OBB Rail&Drive service must therefore be 
asserted against Rail Equipment GmbH & Co KG. 


Contact details: 

Rail Equipment GmbH & Co KG 
z.Hd. Datenschutzbeauftragter 
Operngasse 24/4, 

A-1040 Vienna 
info.railanddrive@oebb.at 


The data collected at the point of sale is recorded by the data controller, Rail Equipment 
GmbH, in its own data processing systems and used for the purpose of providing the ser- 
vice. Further information on the use of data can be found in the data privacy statement of 
Rail Equipment GmbH & Co KG (available at 


https://www.railanddrive.at/de/datenschutzerklaerung). 


Service for daytime users and commuters (use of rental 
vehicles) 


To improve the commuter situation and make it easier to access public transport and the 
related economic benefits, we want to do our part to protect the environment and manage 
resources sustainably. That is why we hire vehicles and make these available to daytime 
users and commuters as part of a ‘Sharing Model’. They are made available to a limited 
group of users, and exclusively to persons who are named and authorised in relevant 
user contracts. 


Daytime users can use the vehicle during the day on workdays. In contrast, commuters 
are authorised to use the vehicles on workdays in the early and evening hours and at 
weekends and on public holidays. 


In addition to personal data (such as name, address, phone number), the duration and 
data for usage authorisation, ID data (driving licences, proof of ID), data relevant to pay- 
ment, data on damage caused and traffic violations will be stored in respect of the day- 
time user or commuter. 


The daytime users / commuters will be sent the respective other party’s user data in order 
to ensure handover of the vehicle. The data to be exchanged have been restricted to the 
absolutely necessary extent, i.e. name and phone number. We have explicitly prohibited 
the use of such data for other purposes in the contracts. 


OBB 360 
As a part of OBB 360, OBB-Personenverkehr AG, together with its subsidiary iMobility 
GmbH, offers a service for employees of companies. 


Public transport, taxis, sharing services and micro-public transport throughout Austria can 
be booked using the “wegfinder’ app provided by iMobility GmbH. This is an information 
and booking platform for a wide range of mobility services as alternatives to private cars. 
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The service offered under OBB 360 can be used for business and private purposes. 


During the booking process, the employee selects whether it is a private trip or a busi- 
ness trip. 


Settlement is made either by private credit or debit card or by the means of payment 
provided by the employer: “Mobility budget” and/or “Travel expenses’. In order to be 
able to make use of the “mobility budget” and/or the “travel expenses” options, the com- 
pany must be linked to the employee’s wegfinder profile. 


The mobility budget is a monthly amount provided by the employer at the beginning of 
each month in the form of vouchers on the wegfinder account. For all bookable mobility 
services in the app, users have the option to select either the mobility budget for private 
journeys or the “travel expenses” payment method as the means of payment for business 
journeys. 


The respective company is also provided with your CO2 footprint for the trips made on a 
monthly basis. 


The employer does not receive any information related to employees’ private mobility be- 
haviour, in particular with regard to which means of transport were used for which routes 
for private purposes. Your employer can only see how much CO2 an employee has 
saved with the mobility budget they have made available. 


OBB-Personenverkehr AG and iMobility GmbH each process personal data as inde- 
pendent data controllers pursuant to Article 4(7) GDPR. 


OBB-Personenverkehr AG processes the following data: 


Data collected on the company: company name incl. VAT number and company register 
number, address data, country, monthly invoice amount, customer number and contact 
person. 


Data collected on the employee: e-mail address 


Please be advised that OBB-Personenverkehr AG has no insight into the specific book- 
ings of the individual mobility services. Booking and data processing for the mobility ser- 
vices used takes place in the app offered by iMobility GmbH, which operates it under its 
own responsibility. Further information on this topic can be found in the Data Privacy 
Statement, which you can access via the following link: https://wegfinder.at/datenschutz/ 
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All you need to know about online consultations 
with OBB travel agencies and the app dates at the 
ticket counter 


We are introducing a new service for you with immediate effect: Consultation and sales 
talks are now also conducted online. 


This procedure not only offers a good alternative for persons with restricted mobility, but 
also allows you to use the travel agency service of OBB-PV AG without restrictions from 
wherever you are. 


Even if the sales and consultation meetings are held online, we will not record any of the 
conversations. 


Online consultations in travel agencies are only provided at your request and are not 
mandatory. For this purpose, you have the option of booking an online consultation at 
https://reisebuero.oebb.at/ (registration for appointment). Registration generates an email 
that is delivered to the inbox of your selected branch. 


In the event of an app date at the ticket counter, your registration will be sent by email to 
an internal central coordination unit for appointment management. 


The following data is collected as part of the registration for an appointment at a travel 
agency: First and last name, e-mail address, telephone number, date on which an ap- 
pointment is requested, requested branch, time window and comments. This data is used 
exclusively for online consultation and the sale of travel products. 


The following data is collected as part of the registration for an appointment at a ticket 
counter: First and last name, e-mail address, telephone number, date on which an ap- 
pointment is requested, requested counter, time window, type of operating system (Apple 
or Android), areas of interest and comments. This data is used exclusively for on-site con- 
sultation. 
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All you need to know about the Schulcard webinar 


OBB-Personenverkehr AG offers webinars for Schulcard customers, in which questions 
about booking with the Schulcard are answered and topics such as rail & environment, 
safety at the station and the range of offers for youth group travel with OBB are dis- 
cussed. 


Customers have the option of booking a webinar through a form (registration for appoint- 
ment). The invitation to the webinar, including the invitation link, is then sent by e-mail to 
the e-mail address provided by the Schulcard customer. The webinar is only provided at 
your request and is not mandatory. 


Registration generates an email that is delivered to the Schulcard Management inbox at 
www.schulcard.oebb.at. 


The following data is collected as part of the registration for an appointment: First and last 
name, e-mail address, school, date on which an appointment is requested, requested 
time window. This data is used exclusively for the purposes of the webinar. 
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All you need to know about other services 


Scotty timetable information including push services (app/ 
web) 
General 


Our timetable information service SCOTTY mobile and web offers you the opportunity to 
obtain information about timetables, stations or the current transport situation of OBB 
trains and several other transport operators. With the door-to-door timetable information 
you can query the fastest route from A to B throughout Austria and use other services. 
Moreover, additional relevant information is available, such as data on station or train 
equipment, as well as the opportunity to store journey data in your own calendar. 


Data storage 


SCOTTY mobile and web is a service which can be used without registration. This ser- 
vice is therefore generally anonymous, because storage of your contact data, location 
data, calendar entries, query results, etc. is not carried out by OBB. The only exception is 
if you make use of our push notifications. As a result, OBB cannot and will not use data 
for any other purposes. Your query results remain completely anonymous and will not be 
stored, meaning that we cannot and do not create user profiles. 


How does SCOTTY mobile function from a technical perspective? 


An active Internet connection is required for the installation of SCOTTY mobile on your 
device and to communicate with our information server, which calculates connection res- 
ults for you. Depending on the operating system, the authorisation to use the Internet for 


this is referred to as “data services”, “Internet” or “access to all networks” 


Depending on the operating system used, certain platforms (e.g. Android) display stand- 
ardised security information as required by the operating system when first installing 
SCOTTY mobile or using the app. However, this explanatory information (e.g. reading 
confidential information, such as call records) does not refer to SCOTTY but to the oper- 
ating system’s general default settings and therefore cannot be modified by OBB. 


In order to allow you to use all functions of SCOTTY mobile, it is necessary to grant fur- 
ther rights, allowing for access to specific data for your device. You can revoke the applic- 
ation’s rights individually at any time. Depending on the operating system used, you can 
deactivate them yourself in the security or systems settings. 


In detail, depending on the operating system used, the granting of the following 
rights is explicitly requested by SCOTTY mobile: 


Contact data: These will only be used to display the transport connection to or from a 
contact from your address book. Only city names, roads and house numbers are trans- 
ferred. We will not store (nor cache) such data. 


Position or location data: Your current location can only be identified for an optimal 
connection search by SCOTTY mobile if you wish, in order to search for travel connec- 
tions from there or to find stations nearby. No caching is carried out, either, and as a res- 
ult the creation of movement profiles, etc. is not possible. 


Movement and direction sensor, compass function: This function makes it easier to 
search for stations nearby. We will not store (nor cache) such data. 


Calendar: SCOTTY mobile offers you an additional service to store travel data for your 
connection in your device’s calendar. This service is not compulsory, but is determined at 
your personal discretion. Depending on the operating system, the related security inform- 
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ation “Read calendar dates and confidential information” or “Add or change calendar 
dates without the knowledge of the owners and send e-mails to guests” relate to this 
function. However, the actual contents of the calendar will not be read. 


Amend or delete USB memory contents: This access is only required if you wish to 
store SCOTTY mobile on the SD card. 


Install links: This right is necessary in order to create shortcuts for connections and de- 
parture boards. 


Read call list: This right is required by the Android operating system by default if address 
data can be read from contacts. Information in the call list, however, will not be read by 
SCOTTY mobile. 


Photo, music and video libraries: This right is required for technical reasons in order to 
create live tile graphics (cards). No private data is retrieved in the process and no data 
that would be visible for other apps is written onto your device. 


Camera: Frecord photos and videos: this right is required in order to use augmented real- 
ity. No photos or videos will be stored. 


Notifications: This right is required to receive and display push messages (e.g. informa- 
tion on delays). 


How does the “Notifications” function in Scotty mobile and web work? 
A push notification is available to you both with Scotty mobile and with Scotty Web. 
Registration 


1. Scotty mobile: in order to set up the push notification, simply search - as usual - for 
your connection and then click on the “Notifications” button. You will then receive a 
corresponding push message on your Scotty mobile app. 


2. Scotty Web: you can order an e-mail notification via Scotty Web by selecting a con- 
nection and clicking under “Details of the connection”. You can find the “Notifications” 
button there under the selected connection. After entering your e-mail address, we 
will send push notifications to your disclosed e-mail address. 


As a result, you can decide whether or not you wish to use the function. 


Notifications are completely free of charge to you. We will inform you if we have the ne- 
cessary information on delays, changed departure platforms, risky connections, train can- 
cellations or deviations and recommendations for the connection selected by you. As 
soon as there is any change to your connection, you will receive a push notification, 
provided we hold such information. 


Unsubscribing: 
In addition, you can deactivate push notifications again at any time. 


1. Scotty mobile: you can delete your services in the “Manage notification” area or deac- 
tivate them for a specific period. 


2. Scotty Web: any deviation notification shall be furnished with an unsubscribe link for 
this purpose, by means of which the service can be cancelled. 


If you use the “Notifications” function, identification parameters, travel connection data, 
device IDs, relevant intervals and your e-mail address are stored in Scotty web. Data are 
stored in case of one-off notification, as long as the selected connection is valid. If you 
have repeatedly set notifications on certain days, data shall be stored for as long as re- 
peated notification is requested by you. 


Scotty mobile analytical service 


version: 2022.04 
Valid from: 27/04/2022 Page: 40 / 59 


OBB 


In the event of app usage, it records user activities without the option to draw conclusions 
on a specific person. The anonymous analysis helps us to further improve the app and 
adapt it in a targeted way to the needs of our customers. If you still do not request this 
analysis, you can deactivate the analysis in the app (see menu item “Settings” — “Record 
anonymous user activities”). 


The analysis is conducted via an anonymous user ID, which does not allow for traceabil- 
ity or an opportunity to draw conclusions about the identity of a specific person. 


Google Firebase Analytics is not used in our analyses and has been deactivated by us. 


Statutory information pursuant to § 20 (3) of the Railway 
Transport and Passenger Rights Act 


We are legally obliged to inform our passengers about any breakdowns, about activities 
that are expected to result in breakdowns such as delays or train cancellations from 
transport services and the anticipated impacts. In case of personal bookings, such as re- 
servations, there is an enhanced information obligation for other information technologies, 
where contact data are known to us. 


As a result, prior to the start of your journey, we will send you an e-mail notification, re- 
gardless of whether you have registered for a push service, in the event of a ticket 
booked online or on a mobile device with a fixed departure data and time, if at the time of 
booking the timetable for the connection is not yet fixed and therefore the departure and/ 
or arrival time of the booked train can still change and we are aware of new travel inform- 
ation. In the event that you have made a booking via customer service or at a ticket 
counter, you will only receive a notification if you have disclosed your e-mail address to 
us. 


If you have booked a Nightjet connection, we will inform you by telephone in the event of 
any changes — provided that this is now possible. Therefore, a telephone number is a 
mandatory requirement when making a booking. 


However, such notifications shall be issued at the earliest 180 days before the booked 
start of the journey. 


If you no longer wish to receive such notifications for a journey, you can simply cancel 
further notifications by clicking on the link “Cancel notification” in the e-mail notification 
“New travel information on your booking”. 


For the purpose of statutory customer information, we also receive data from other rail- 
way companies, ticket vendors and transport association organisations for the purpose of 
providing notifications regarding deviations. 


If customers book tickets where the transport service is provided by a third party railway 
company, we will pass on the relevant data to the competent railway company so that 
you can be notified by the respective railway company in the event of any deviation. 


For the purpose of notification, the following personal data will be processed by the data 
controller, if disclosed by you: 


First and last name, e-mail address, telephone number, details of the timetable connec- 
tion (departure stop, destination stop, date and departure time/arrival time, train number). 


If you have booked a ticket for a EuroNight train on Swedish Railways SJ (Stockholm — 
Hamburg), we will pass on the following data that you have provided during the booking 
process to Swedish Railways: first and last name, e-mail address, telephone number, 
booking and reservation data. This ensures that Swedish Railways, which provides the 
rail service, is able to notify you directly of any deviations. This also ensures that, where 
applicable, you receive the legally required information pursuant to Article 6 Para. 1 lit. c 
GDPR from all railway companies involved. 


version: 2022.04 
Valid from: 27/04/2022 Page: 41 / 59 


OBB 


Further information on how Swedish Railways handles data can be found at the follow- 
ing link: Terms and Conditions of Data Protection — SJ 


OBB Alexa Skill on Amazon 


Using the OBB-Alexa Skill on Amazon, you can search for train connections or query 
departure information from railway stations (departure board). 


Connection information contains detailed information on the journey, including the train 
number, duration of journey, platforms and the lowest currently available price. You can 
find further details on the functions of OBB-Alexa Skill in the description of the skill on 
Amazon. 


The OBB-Alexa Skill can only be used to query connections, pricing and other OBB in- 
formation. Connections of other transport operators are not covered by this service. 


In the course of use of the OBB-Alexa Skill, no personal data of customers are collec- 
ted and used by OBB-Personenverkehr AG. The OBB-Alexa Skill is used anonym- 
ously. OBB has no knowledge of whether you use the OBB-Alexa Skill or which queries 
you make to the OBB-Alexa Skill, because OBB is unable to establish any personal refer- 
ence to you. 


In order for the service to be used, certain technical data are collected by OBB-Personen- 
verkehr AG, which do not allow for any conclusion to be drawn on your person: 


¢ Date and duration of use 
* Queries to the OBB-Alexa Skill (e.g. timetable connection) 
e Error reports in the use of the OBB-Alexa Skill 


Only those technical data which are necessary to allow for the use of the OBB-Alexa Skill 
are forwarded to Amazon by OBB. 


In order to protect your data, the data transmission from OBB to Amazon or from Amazon 
to OBB is encrypted by TLS 1.2. 


Data collected and processed when using the OBB-Alexa Skill are stored for a period of 
one year and automatically deleted following the lapse of this period. Access to data has 
been reduced to the extent that is absolutely necessary. 


Onboard portal Railnet & Railnet Regio 


If connected to WiFi on your train (“OEBB”), the OBB onboard portal offers passengers 
access to service functions related to the train and the journey, to the ORF-TVthek (ORF 
TV library) as well as free access to over 100 digital Austria Kiosk newspapers and 
magazines, among other things. 


In order to use the WiFi and the onboard portal with all its functions, you as the user must 
agree to the terms of use when connecting to the WiFi. The terms of use also inform you 
about the use of cookies on the OBB onboard portal. 


Cookies are used by the onboard portal in order to allow for the provision of a compre- 
hensive and customer-friendly service. Cookies are used for the following functions: jour- 
ney preview, ORF TVthek, data analysis by Piwik (Matomo). 


When using the OBB onboard portal, no personal data about customers will be col- 
lected and used by OBB-Personenverkehr AG. Therefore, the use of the OBB onboard 
portal is anonymous. 
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Use of Google Maps 


Google Maps is an online map service, which looks at the earth’s surface as a roadmap 
or an aerial or satellite image, on which locations of institutions or known structures are 
also displayed. 


We use Google Maps for the following purposes: 
e To select routes on the home page https:/Awww.nightjet.com/ 


¢ To display sights on city pages (for example at: https://www. nightjet.com/reiseziele/ 
oesterreich/innsbruck.html) 


e To display connections on country pages (for example at: 
http://www.nightjet.com/reiseziele/italien.htm!) 


“Google Maps JavaScript API” is used for these purposes. No personalisation is imple- 
mented and no cookies are set by Google Maps-API. 


Provision of mobility services for persons with restricted 
mobility 
We can organise optimal assistance for you at the station upon free advance notice at 


OBB customer service, at the OBB ticket counter, or at an information point at the train 
station. Please let us know about your desired journey in good time (see 


https://www.oebb.at/de/reiseplanung-services/barrierefrei-reisen/mobilitaetsservice.html). 


We require the following data for advance notice: (1) first and last name and address; (2) 
phone number for queries and communications; (3) journey date, route (departure/trans- 
fer/arrival station); (4) disclosure of whether you are travelling with a companion or lug- 
gage; (5) type of mobility restriction (wheelchair user, walking disability, visual impair- 
ment, other restriction); (6) disclosure of whether any aid is required (lifting device, rail- 
way wheelchair,...); (7) disclosure of the meeting point at the station; and (8) carriage and 
seat number. 


Data on a provided service will be stored by OBB-Personenverkehr AG on a national 
level for a maximum period of three years and subsequently automatically deleted in or- 
der for data to be available in the event of customer queries. 


In the event of cross-border journeys, data are transferred to a database provided by the 
International Union of Railways (UIC, Union internationale des chemins de fer), to which 
only relevant partner railways (partner operators) have access for handling the mobility 
service. This is intended to ensure that appropriate assistance is provided at an interna- 
tional arrival station or stations by the responsible international partner railways (partner 
operators). The provision of a cross-border mobility service was agreed internationally 
within the framework of a separate agreement. In particular, the scope of data disclosed 
in the individual case and the intended use were restricted to the extent that is absolutely 
necessary. In order to provide a cross-border mobility service, the following data will be 
disclosed and stored in the UIC database until completion of the journey: journey data, 
title, first and last name, e-mail, language, type of mobility restriction, aid, other significant 
information, e.g. companion or service dog, luggage, date of birth in the individual case, 
depending on the destination. The above data shall therefore be deleted immediately fol- 
lowing completion of the journey in the event of cross-border journeys. 


Door-to-door luggage service 


In combination with a ticket, you can make use of a luggage service for normal luggage 
items as well special baggage for journeys within Austria (see fare regulations). 
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The booking can be made through our company (i.e. at the ticket counters or by phone 
via the customer service). We are available to you as a contact for our cooperating part- 
ner (Q Logistics GmbH, 1120 Vienna, Pottendorfer Strasse 23-25). 


The cooperating partner shall perform this service at its own responsibility. In order to al- 
low the cooperating partner to perform its logistical service, the following data - as- 
signable to you - shall be disclosed to such a partner for the performance of the service, 
which you communicated to us when booking this service: first and last name, phone 
number, e-mail address, collection and delivery address, date of collection and delivery. 


If you wish, we will be happy to pass on complaints and other queries to the cooperating 
partner as required. 


Services provided by our chatbot 


In addition to telephone enquiries or requests via the contact form provided on 
www.oebb.at, you also have the possibility to use our chatbot / OBB.Bot. OBB.Bot is at 
your disposal for information and services regarding various topics: 


a) Information on the subject of passenger rights (further details available at 
https://www.oebb.at/de/reiseplanung-services/kundenservice/refundierung-chatbot) 
b) Information on the Klimaticket O (further details available at 
https://www.oebb.at/de/reiseplanung-services/kundenservice) 

c) Information on the subject of customer cards (further details available at 
https:/Awww.oebb.at/de/reiseplanung-services/kundenservice/vorteilscard-chatbot) 


Our OBB.Bots are text-based dialogue systems that allow you to chat with a technical 
system for standard enquiries and routine tasks. 


This offers you a further option to get in touch with us quickly and easily. Your request 
can also be processed faster. 


When you use the OBB website and the OBB.Bot embedded on the website, personal 
data will be automatically collected to the extent absolutely necessary for technical reas- 
ons (i.e. the IP address and device information) if the OBB.Bot is only used for informa- 
tion purposes and you do not disclose any additional personal data. In this case, data is 
processed on the basis of Article 6 Para. 1 lit. f GDPR (legitimate interest of OBB-PV 
AG, which consists in the provision of relevant customer information and the technical 
provision of the website) as well as on the basis of Article 6 Para. 1 lit. b GDPR, i.e. to 
process your request. This data is deleted after one year. 


In the case of pure product information, no customer data is required by us and no such 

data is therefore collected. Only if you use OBB.Bot for data changes or in case of ques- 
tions regarding the execution of contracts, data will — if this is required in individual cases 
to process your request — be collected and processed to the extent absolutely necessary. 


If you wish (consent), a transcript of your chat can be made available to you at the e- 
mail address you have provided. Alternatively, you can download your chat transcript 
during the session. This consent is limited in time and only relates to your current en- 
quiry, so that separate consent will be obtained for any subsequent enquiries. This con- 
sent can be revoked by closing the chat window. 


With certain OBB.Bots, a live chat is also possible, in which you can exchange informa- 
tion with one of our agents. 


Should data collection or disclosure be necessary, the following data that is required to 
process your enquiry in accordance with Article 6 Para. 1 lit b GDPR may be collected, 
depending on the reason and subject of the enquiry: 
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Enquiries via the OBB-Bot regarding passenger rights: first and last name, complete ad- 
dress, e-mail address, complete bank details, OBB customer number, OBB ticket codes 
and the subject of the enquiry. 


Enquiries via the OBB-Bot regarding customer cards: first and last name, date of birth, 
complete address, e-mail address, telephone number, type of customer card, card num- 
ber, period of validity, subject of enquiry. 


Enquiries via the OBB-Bot regarding the Klimaticket O: first and last name, date of birth, 
complete address, e-mail address, telephone number, type of customer card, card num- 
ber, period of validity, complete bank details, OBB customer number, OBB ticket codes 
and the subject of enquiry. 


In OBB.Bot itself, this data is available for one year. In the relevant downstream systems 
for my respective enquiry, this data is deleted after expiry of the statutory retention ob- 
ligations, which depend on the subject of the enquiry (i.e. either after three years or after 
ten years). 
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All you need to know about our pilot projects 


General 


We conduct pilot projects under our own responsibility in order to improve our services 
and our product portfolio, in which our customers may participate on a voluntary basis. 


Bike sharing 
Stationary bike rental for tourists via the BIKE TIROL app 
Customers can book and pay for bicycles with Inn-Bike GmbH via the BIKE TIROL app. 


The data controller is Inn-Bike GmbH (Salurnerstrake 2, A 6330 Kufstein, Tel: +43 
(0)5372 63547, e-mail: info@inn-bike.at 


OBB-Personenverkehr AG acts as a contract data processor by providing a sales plat- 
form for bicycle rental. This sales platform is operated by the contract partner Mo.Point - 
Mobilitatsservices GmbH, NiederhofstraRe 30/13, A-1120 Vienna, www.mopoint.at or Di- 
gital Mobility Solutions GmbH, Vaalser Str. 17, D-52064 Aachen, ttp://moqo.de. 


Various companies participate in this cooperation, in particular: 
e OBB-Personenverkehr AG as the provider of the sales platform, 
e OBB-Infrastruktur AG: Provision of space 


e Inn-Bike GmbH: Provision of the infrastructure (e-bikes, bike lounges, locking sys- 
tems) 


e Tirol Werbung: Advertising in cooperation with OBB PV 
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Direct marketing - General and personalised 
advertising offers 


General and customised electronic offers 


We use personal data in order to send yougeneral information, offers and recom- 
mendations as well as information, offers and recommendations tailored specific- 
ally to your mobility needs and user behaviour or to have such information sent to you 
by our cooperating partners (customised offers). However, this is only the case if you 
grant your consent in advance to let us contact you by e-mail, telephone, SMS or other 
OBB channels (e.g. OBB account), in order to inform you in a timely manner about inter- 
esting offers, new developments and services. 


Your personal data will exclusively be used by us in both cases and not transferred 
to cooperating partners or other affiliated companies. 


Depending on the content of the consent granted by you, you will receive offers and other 
information from us concerning OBB-Personenverkehr AG (for example on general ser- 
vices, sweepstakes and customer surveys) and the OBB Group, i.e. including other affili- 
ated companies (e.g. information on travel offers from Rail Tours Touristik GmbH or car 
sharing offers from Rail Equipment GmbH) or other cooperating partners. 


If you wish to receive customised information and recommendations adapted to your 
needs (based on your previous purchasing and travel behaviour or your other personal 
preferences), we can forward these to you for: 


* our products and services; 

e current or individually tailored offers; 

e vouchers; 

e sweepstakes and campaigns; 

e customer surveys; 

e relevant services (in particular information on the OBB account and our apps); 


* product and travel recommendations (including travel insurance and additional offers 
for tourists); or 


e other customer loyalty activities. 


The compilation of these contents is based on evaluation of the following data: first 
and last name, date of birth, address and contact data, details stored on your person re- 
garding bookings, customer cards and season tickets, discounts, travel and voucher data, 
geodata, preferences and customer loyalty activities associated with you, device and 
browser information, including user behaviour assignable to you or data on any mobility 
preferences or restrictions. 


Details on booking data include, for example, your selected travel date and time, the ac- 
tual booking date, booked tickets or special additional offers for tourists, seat reserva- 
tions, information on utilised offers or vouchers added to your account, information on the 
start and end station, the sales channel, selected timetable connections including inter- 
mediate stops, train types, wagon classes or compartments, information on booked night 
or day trains, currency used, vehicle data, bicycles, accompanying dogs, information on 
booked pieces of luggage, as well as information on whether you are travelling alone, 
with other people or with a child (or children). 
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In order to provide you with customized information on customer cards and season 
tickets, we use details of valid/expired/extended customer cards, such as Vorteilscard 
[discount card], Osterreichcard [Austria card] and any SEPA mandates, as well as details 
of acquired season tickets, e.g. hourly passes, weekly passes, monthly passes. 


By discount data, we mean your discounts used in buying tickets, such as indication of a 
Vorteilscard, Osterreichcard, city transport ticket, family pass, etc. 


Travel data include information on already commenced or planned (booked) journeys, 
information on the duration of your journey, any delays, validation details regarding your 
ticket or your customer card, as well as details of such journeys referred to under booking 
data. 


If (e.g. in the context of a campaign) a voucher was added to your OBB account, we will 
use such information to deliver reminders to you about its use, for example. Moreover, we 
will use the information once the voucher has been cashed, as well as details of the jour- 
ney booked or the product purchased with such voucher. 


Geodata are used for so-called location-based services. Location-based services provide 
you with selective information by means of position-dependent data. 


By preferences assigned to you we mean, for example, your connection favourites, 
your stored payment favourites, timetable connections stored by you (including other pas- 
sengers, selected timetable filters, 1st class journeys, request for a seat reservation, jour- 
neys on specific weekdays). 


Customer loyalty activities include information and further details on previously sent 
sales and campaigns, vouchers, sweepstakes, customer surveys, recommendations and 
other information. 


Device and browser information including user behaviour assignable to you in- 
cludes information on your employed devices (computer, laptop, smartphone, etc.) with 
which you visit our websites and the associated web browsers (e.g. Internet Explorer, 
Firefox, Safari, etc.). This also includes information on whether you have downloaded and 
used the OBB App. Your assignable user behaviour includes, for example, details on the 
use of your OBB account with relevant devices and the OBB App (e.g. account creation 
details, settings implemented, such as e.g. gender and language, details of logins, added 
discounts and customer cards, deposited vouchers, ticket purchases and reservations, 
stored favourites, etc.). In addition, technical information (e.g. IP address, browser type 
and version, time of access by the visitor’s computer) is collected in order to determine 
whether an e-mail has reached you, which e-mails you have opened when and which 
links in the e-mail you have accessed. 


We use data on any mobility preferences or restrictions in order to offer you relevant in- 
formation, recommendations and services in the event of you needing a wheelchair place 
or if a companion or service dog is travelling along, etc. 


We use the technologies of Emarsys eMarketing Systems AG (MarzstraRe 1, 1150 
Vienna, www.emarys.com), which acts as our contract processor, to create and send out 
customised offers. Emarsys supports us in the planning, implementation and analysis, es- 
pecially in the technical implementation and handling of our measures, as follows: 


* The functionality of Emarsys Smart Insight allows us to tailor customised offers based 
on the history of your individual purchasing behaviour. Your data is analysed and cat- 
egorised using mathematical-statistical methods (eRFM scoring parameters) in order 
to recognise typical purchasing behaviour patterns and to be able to tailor our inform- 
ation, offers and services to your individual interests. 
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e Our contract processor’s technology furthermore enables us to evaluate the use of 
our e-mail newsletters. Among other things, we receive information as to whether an 
e-mail has reached the recipient or has been rejected by the server. For the evalu- 
ation, the software uses a so-called tracking pixel (web beacon), which is retrieved 
from the Emarsys server when the e-mail is opened. The analyses also include de- 
termining whether our newsletters are opened, when they are opened and which links 
were Clicked. In the process, technical information (e.g. IP address, browser type and 
version, time of access by the visitors computer) is collected. These evaluations help 
us to recognise our recipients’ reading habits and to adapt our content to reflect these 
or to send different content in accordance with our recipients’ interests. 


This type of data processing also involves profiling as per Article 4 No. 4 GDPR, to the 
extent that it concerns the preparation and sending of customised offers. 


Profiles are created about our customers, which 


e allow conclusions on the probability of their future purchasing, booking and usage be- 
haviour, 


e allow for target group selections and aggregated or concrete evaluations regarding 
products and services. 


Our general and customised offers can be sent by mail, e-mail, as a push message, in 
your OBB account or via other OBB channels. 


This special form of processing is based on your consent in accordance with Article 6(1) 
a) GDPR, to the extent that we are entitled to carry out such data processing. 


We use profiling methods to optimise and personalise our advertising measures. 
Below, you will find information on the logic involved as well as on the scope and inten- 
ded effects of these procedures. 


e In order to optimise and personalise our advertising measures, we create customer 
profiles and use these customer profiles to assign customers to specific customer 
segments. Based on this segmentation, we can control the type, content and fre- 
quency of certain advertising measures for specific target groups. 


For profiling, we use data that we receive from you within the scope of our customer 
relationship, provided that you have given us your consent for “Newsletter, Info & Ser- 
vice”. Address and contact data, purchase, booking and travel data, information on 
customer cards and season tickets, discount data, data on mobility preferences and 
usage data. Profiling can be based in particular on user profiles derived from usage 
data, which we create with the customer’s consent by measuring and evaluating the 
customer’s interaction with electronic advertising, in particular by measuring and eval- 
uating the opening and click rate in e-mail newsletters. 


¢ An important factor in the establishment of our customer segments is the so-called 
scoring, in which we evaluate customers according to scientifically recognised math- 
ematical-statistical procedures based on aspects relevant to advertising. 


¢ The scope and impact of customer segmentation based on profiling is limited to tar- 
get-group-specific management of the type, content and frequency of our advertising 
measures and the level and value of potential incentives. This may result in you re- 
ceiving or not receiving certain measures which may or may not be made available to 
other customers. 


Special additional services and offers 


You also have the opportunity to register for special offers and services, for example for 
the Nightjet newsletter, Scotty push service or information on usability tests. 


version: 2022.04 
Valid from: 27/04/2022 Page: 49 / 59 


OBB 


Please note that any of these services which require separate consent must also be re- 
voked separately. As a result, revocation of any individual consent does not apply auto- 
matically to all additionally submitted declarations of consent, but they must also be re- 
voked separately. 


Advertising sent by post 


If we are aware of your address due to purchases and services, or we are allowed to buy 

it from third parties (e.g. from Osterreichische Post AG), we can send you event-driven in- 
formation, offers and recommendations by post. You can prevent the sending of such in- 

formation at any time, by declaring your objection (see explanations below). Following re- 
ceipt of an objection, we will no longer send you any other announcements. 


Postal deliveries will also be made to our stakeholders at regular intervals, for example 
prior to the annual timetable change as well as ad-hoc for relevant subjects. 


Please note that the annual invitation to renew the contract does not constitute a direct 
advertising measure. Based on existing contractual obligations (see our GTC [General 
Terms and Conditions] for the Vorteilscard or Osterreichcard), we will also continue to 
send you this invitation to renew the contract, and even if you had exercised your right to 
objection, especially as such a consignment is not subject to the right of objection to dir- 
ect marketing. 


Revocation of granted consent and objection to direct marketing 


If you no longer wish to be included in our direct marketing activities, you have the right to 
file an objection thereto (Article 21(2) and Article 22 GDPR) or to revoke your previously 
granted consent. The following options are available for you to make these declarations: 
* If you have declared your consent electronically, you can then declare revocation un- 
der “My account/ newsletter, info & service” in the OBB account. 


e In a newsletter, simply click on the unsubscribe link and we will stop sending you 
electronic mail in the future. It may take up to 24 hours for the activation of a revoca- 
tion to be completed in the systems. 


e In all other cases, please contact our OBB customer service using the contact form 
at www.oebb.at/kontakt. 


If you have exercised your right and decided against any use of your personal data for 
advertising purposes (in particular direct advertising), in accordance with your request, 
you will not receive any information, offers and news and can no longer log onto your 
OBB account for our “Newsletter, Info & Services” service. 


If at a later point in time you wish to reactivate our services in your OBB account under 
“Newsletter, Info & Service”, please contact our customer service at 


OBB Customer Service 

(Subject: Newsletter, Info & Service) 
Postfach 222 

1020 Vienna 


version: 2022.04 
Valid from: 27/04/2022 Page: 50 / 59 


OBB 


Anonymised data analysis 


Statistical analyses shall be conducted for the following purposes in particular: 


e Are functions used regularly in our software? This allows us to check on whether spe- 
cific functions are important for users of our website or app 


e Which tickets are purchased? This allows us to check on whether our product portfo- 
lio meets the demands of our customers. 


e Does navigation comply with the behaviour of software users? This allows us to 
check on whether we can design the purchase process in a way that is more agree- 
able for our customers. 


We also create anonymised data analyses, in which we evaluate personal data and in- 
formation about age, gender, region, postcode, products, driving, purchase and user be- 
haviour, in order to draw conclusions on the development of new products and services 
or to improve our existing service portfolio. 
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Market and opinion research, customer surveys 


Market and opinion research, customer surveys 


In order to improve our products and services and adapt them to customer requirements, 
we conduct surveys with different target groups: on the one hand with people who do not 
use the train and on the other hand with people who use a railway operator (irrespective 
of which) or people who use OBB. In this context, we commission market research com- 
panies or conduct the surveys ourselves. Persons to be surveyed can be selected either 
completely randomly or based on social statistics or usage-specific factors. Contact with 
participants can be implemented via the pools of respondents for market research com- 
panies - carried out without our input at the sole responsibility of partner operators. Or we 
invite interested persons in general, without individually addressing participation in the 
survey. In case of specific survey topics, we also address customers of OBB PV AG. 


Establishing personal reference is not intended for any surveys. All surveys are conduc- 
ted completely anonymously. This is true even if we write to you directly as customer or 
you have declared your consent in advance to participate in a survey. We or independent 
third parties also conduct anonymous surveys on our passenger trains. 


We only receive or compile an overall evaluation of data, which do not show individual in- 
terviews or persons. 


If we address our customers directly, we will then exclusively contact people who have 
given consent thereto. 


Should we conduct the survey in cooperation with a market research company in specific 
cases, we shall conclude a separate confidentiality agreement with said company in ad- 
vance of a customer survey, laying down the secure handling of your data specifically for 
the individual case. In particular, this agreement shall ensure that the company will not 
transfer your data to other market research institutions and other third parties for surveys 
for their own purposes. 


In any case, you are not obliged to take part in any of our customer surveys. 
Usability tests 


If you apply as a test user, you can take part in usability tests conducted by our company 
for the further development and improvement of our ticket and timetable tools. Each test 
is subject to separate conditions of participation (see website). In this case, we will con- 
tact you as a possible test user and request your participation in future tests. Naturally, 
your participation in each individual test is voluntary. 


You are entitled to revoke your consent at any time and declare that you no longer want 
to be contacted for further tests. 
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Cookies, web analysis and social media 


Use of cookies 


Cookies are small text files or codes, which contain information units. These text files are 
stored on your hard drive or in the main memory of your browser if you visit one of our 
websites. Thanks to cookies, the contents of our websites can be structured more easily 
and devices on which you have previously visited our websites can be identified. We use 
cookies to gain a better understanding of the functioning of applications and websites and 
to analyse and optimise the user experience when using our websites online and on mo- 
bile devices. 


The cookies we use also allow us to display travel suggestions on the home page based 
on the customer's queries and bookings. 


Cookie categories 
We primarily use cookies from the following categories on our websites: 
Operationally necessary cookies 


These cookies are necessary to allow you to use our websites as intended and make all 
functions available to you. Without such cookies the requested services cannot be 
provided. These cookies do not record information about you and do not store Internet 
locations. Absolutely necessary cookies cannot be deactivated on our site. However, they 
can be deactivated at any time on the browser that you use. 


Functional Cookies 


These cookies are necessary for certain applications or functions of the website, allowing 
them to be duly executed. This may for example include cookies, which store implemen- 
ted settings such as a visitor's language setting or even — assuming your prior consent — 
pre-completed forms. 


Storage period: in the event of a session cookie for the period of the session, or in the 
event of your prior consent for the period of your consent. 


Analytical cookies 


These cookies collect information on user behaviour for visitors to our websites. For ex- 
ample, a record is kept of which websites are most frequently visited and which links are 
clicked on. All recorded data are stored anonymously together with information for other 
visitors. Using data obtained by these cookies, we can compile analytical evaluations on 
our website using Piwik and thereby continually improve the user experience. 


Storage period: in the event of a session cookie for the period of the session, in all other 
cases (for example for our web analysis service PIWIK) for a maximum three years. 


Preference cookies 


These cookies allow us to display travel suggestions on the home page based on the 
customer’s queries and bookings. 
First party cookies 


First party cookies are generated by the website operator whose site the user is visiting. 
These are stored locally on the user's computer. With a first party cookie, the user can 
only be recognised by the site from which the cookie originates, but not across multiple 
domains. 


Third party cookies 


Third party cookies, also called tracking cookies, are a common means of marking a vis- 
itor to a website so that they can be recognised at a later point in time. 
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These are data records that are stored in the user’s browser when they visit a page with 
advertising. 


Third party cookies are used to monitor a user’s browsing behaviour over a longer period 
of time, including without explicit registration by the user on a website and across multiple 
web offerings, and to provide advertisers with useful information such as: 


e User navigation via links 
e Time spent on different sites 
¢ Different page views and frequency of views 
Currently, we only use first party cookies which are either 
e technical in nature and are absolutely necessary for the ticket shop to function, or 


e technically necessary for a customer feature (display of the most recent searches for 
easier/accelerated purchase for frequently searched journeys (see also explanations 
in the Section “All you need to know about the OBB Ticket Shop and OBB App’)). 


3rd party cookies are not used. 
How long are cookies stored on my device? 


The time that a cookie stays on your device depends on whether it is a persistent cookie 
or a session cookie. Session cookies only remain on your device until your browser ses- 
sion is finished. Persistent cookies remain stored on your device, even after you have 
completed a browser session, until such time as the preset time for the cookie has ex- 
pired or it has been deleted. 


For consent-based cookies, we retain a consent and revocation history for a period of 
three years. 


Withdrawal of consent 


The website provides a revocation option that you can use if you wish to withdraw your 
consent. Should you have any questions, please don’t hesitate to contact our customer 
service. 


PIWIK (Matomo) web analysis 


Our websites and digital dialogue with our customers (e.g. newsletter) use Piwik, a web 
analysis service. Piwik uses cookies, which allow us to conduct an analysis of the use of 
our websites. 


For this purpose, the usage information generated by the cookie (including your truncated 
IP address) is transferred to our server and stored for usage analysis purposes. This 
helps us in optimising our websites. During this procedure, your IP address is immedi- 
ately anonymised, so that you remain anonymous to us. 


The information generated by cookies on the usage of our websites is not passed on to 
third parties. 


You can prevent the use of cookies through according settings in your browser software. 
This may, however, result in your not being able to fully use all functions provided by our 
websites. 


If you do not agree to the storage and analysis of data in relation to your visit and the use 
of our websites, you can object to such storage and usage at any time (see terms of use 
for the website www.oebb.at). In this case, a so-called opt-out cookie will be stored in 
your browser. As a result, Piwik will not collect any session data. 
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For technical reasons, we have to collect and store certain data and information of your 
visit to our website, for instance the used websites, the time and duration of your visit as 
well as data provided by the browser you are using (e.g. on the operating system and the 
used system settings). Such data and information is used by us anonymously to allow us 
to make our offerings even more participant-friendly and to technically optimise them. 


Should you provide personal data or information on our websites, we can continue to use 
them within the framework of the legal requirements of TKG [Telecommunications Act] 
without your further consent. An exception is the use for advertising or marketing pur- 
poses or forwarding data to third parties, which requires prior and separate consent. We 
will separately inform you about any communications to other OBB affiliated companies 
(e.g. in the event of a concern, complaint, etc.). 


Should you access such offerings on our websites or visit these websites, the data 
provided by your browser will be transferred to the respective operator. We are not re- 
sponsible for any contents on these websites, neither in terms of data protection nor in 
terms of the technical security of the data and information made available. In this context, 
please note that external providers may use ad personalisation technologies where re- 
quired. 


In case we provide a way to contact us via an input form on our website, we will encode 
this communication via the https protocol. Please note that other types of communication 
over the internet, in particular via e-mail, do not provide confidentiality. We therefore re- 
commend to refrain from sending confidential data and information via e-mail. 


Social media 
Social media plugins 


We have embedded contents from external providers, such as Facebook, YouTube, Twit- 
ter, on individual websites or we may transfer you to the websites of external providers. 
We could not identify any legal violations at the time of linking. Should we become aware 
of any such infringement, we will remove the link with immediate effect. In order to be 
able to recommend and share content on social networks such as Facebook, Twitter and 
Google+, corresponding buttons are integrated into the platform. 


These buttons only transfer data to external providers or other third parties if you press 
the corresponding button as participant. We have prevented an immediate transfer of 
data to external providers or other third parties in case of mere access to our websites. 
As a result, it is completely up to you to activate transfer in the individual case. 


Sweepstakes on social media and in the customer magazine 


If personal data are recorded by participants within the framework of a sweepstake on so- 
cial media, they shall exclusively be collected, processed and used for the purposes of 
implementing the sweepstake, unless you have specifically granted your consent for the 
use of your personal data for other purposes, or use of data is required in the individual 
case for legal or other overriding reasons (thus for example in the event of a legal or 
other regulatory request or in the event of legal or regulatory disputes). 


We will delete or anonymise collected and processed data following expiry of the stat- 
utory period of limitation (i.e. usually after three years have elapsed). The same applies to 
any messaging history in social media. We cannot assume any responsibility for the cor- 
rectness, timeliness and completeness of data that you have disclosed personally. In 
your own interests, please therefore ensure that data disclosed by you are correct, up-to- 
date and complete. 
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Our quality measures 


If you contact us by e-mail with requests, suggestions or criticism, we would also 
like to ensure that we have performed our service to your satisfaction. After replying to 
your concerns, we will therefore ask how satisfied you were with our service. 


This constitutes an internal quality assurance measure. For reasons of objectivity and 
automated processing, we employ a processor for this purpose, to conduct this auto- 
mated query on our behalf. In order to do so, we will exclusively hand over your e-mail 
address and customer number to the processor. We shall not provide this processor with 
the opportunity to inspect your data, to use your data for other purposes or to transfer 
them to third parties. 


Before employing the processor, we have assured ourselves that it will provide a suffi- 
cient guarantee for lawful and secure use of data. 
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How we protect your data 


For us, information security means: 
e Confidentiality of data, 
e Data integrity and 
e Data availability 


In order to guarantee information security, we have established organisational framework 
conditions and protective measures that confirm to the latest state of technology. 


These include: 

e Load distribution, 

e Firewalls, 

e Encryption, 

e Security tests, 

e System inspection and 
e Constant monitoring. 


Our employees are only granted access rights in accordance with their roles and to an 
extent that is absolutely necessary. The use of these access rights is recorded. 


Your data is protected by a secure online connection (TLS) between your PC and our 
servers, depending on the browser configuration, with at least 128 Bits. 


Security measures for the system in the event of purchase on the OBB App or an online 
purchase were developed based on the following standards: 


e ÖNORM A 7700 (standard for the security of web applications); 
e PCI DSS (Payment Card Industry Data Security Standard); and 
e ASVS (Application Security Verification Standard). 


The system therefore fulfils the security standards of the Application Verification Standard 
2010 (ASVS) and was also tested by an independent expert. ASVS 2010 represents the 
leading current standard for IT security. Moreover, the OBB App was developed in ac- 
cordance with requirements of data protection law and continually adjusted to new re- 
quirements. 
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Use of data processors 


By processors we mean our contractual partners, who process personal data on our be- 
half (example: maintenance of our databases). 


We currently employ processors, including for the following activities: 
e for customer card production and shipment thereof; 


e for communication related to the contract renewal and the dispatch of other printed 
forms; 


for the implementation of quality measures and customer surveys; 


for ticket sales by cooperating partners distributing OBB tickets on our behalf; 
e for the operation and maintenance of our customer databases; and 
e for use in individual cases. 


We only employ processors for our lawfully conducted data processing. We always as- 
sure ourselves in advance that the individual processor is suited to service performance, 
in particular that the processor provides a sufficient guarantee of secure and lawful use of 
data. 


Processors that we have selected only receive personal data from us to the extent that is 
absolutely necessary. 


Our processors have contractually undertaken: 
e to solely use personal data for the purpose of the contract; 
¢ To delete them after completion of the respective contract purpose, 
e Not to forward data to third parties, 
e not to use personal data for their own purposes; and 


e to comply with new obligations under the General Data Protection Regulation (e.g. 
keeping a register of processing activities, conducting a data protection follow-up as- 
sessment as required, etc.). 


Before employing a processor, we conclude a written agreement with the processor, in 
which special obligations are imposed on the processor and its employees, and they 
again are subject to a separate confidentiality obligation. We impose certain data security 
measures on the processor to ensure that customer data and data processing are suffi- 
ciently protected. 
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Note on the scope and consequences of incomplete 
data provision 


We have provided you with comprehensive information on the purposes of our data pro- 
cessing, categories of data recipients, the legal basis and legal framework, the storage 
period as well as the rights you are entitled to and the scope of data processing. In all 
data processing, we have taken care to ensure that data collection and data scope are 
limited to the extent that is absolutely necessary. Therefore, if we ask you to provide data, 
this is necessary in particular so that: 


you can purchase a product or service of OBB-Personenverkehr AG or a cooperating 
partner (e.g. tickets, customer card, transfer service, timetable query, mobility service, 
chatbot / OBB.Bot etc.) 


we can verify your eligibility (e.g. as part of validation, identification check for certain 
requests); 


you can assert your rights and other claims (e.g. passenger rights, assertion of any 
personal injury or damage to property, claims for reimbursement, etc.) or contact us 
with other concerns or complaints; the same applies to OBB-Personenverkehr AG; 


we can contact you in the event of a breakdown or any other event or circumstance of 
importance to you; 


we can include you — provided you have given your consent in advance — in our direct 
advertising measures and data and web analyses or involve you in our quality assur- 
ance or customer surveys. 


If you do not or not fully comply with our request for data disclosure, it cannot be guaran- 
teed that we will be able to comply with or process your aforementioned purchase or 
other request(s). 
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